LI March 2019

Monthly Roundup of Data Protection News: March 2019

Last month in data protection news:
● Political campaigns and the GDPR: a feature story on the issues raised by processing personal data for political purposes.
● First GDPR fine in Poland: business information aggregator sanctioned for lack of transparency.
● Copyright Directive vs GDPR: see where the legislation ovelaps and what this means for content sharing platforms.
● AdTech industry under scrutiny: sturctural flaws of data processing in online advertisting.
● Regulation from France on biometric data: when and how can companies use biometric access systems.
● Data protection guidelines and reports from EU institutions.
● Cases and decisions from EU Member States and the CJEU.
● Enforcement actions taken by National Data Protection Authorities.
● More data protection news from Europe and worldwide.

Planet 49

ECJ case to settle what should be common sense on cookie consent

This week ECJ Advocate General Maciej Szpunar issued his Opinion on the Planet 49 Case – a case dealing with issues which should have been sufficiently clear not to bother the Court in the first place. Namely, it is about (a) pre-checked boxes as means to collect consent for placing cookies and (b) if, under the ePrivacy Directive, the same consent conditions are applicable irrespective whether the storing and gaining access to information on a user’s equipment means processing personal data or not and (c) what is clear and comprehensive information about cookies. The case started in Germany in 2017, when the Data Protection Directive 95/46/EC (the “DPD”) was in force, but the preliminary questions regarding consent also refer to the GDPR.

According to the facts described in the AG Opinion, Planet 49 was organizing a promotional lottery on a website and presented 2 checkboxes to people when they wanted to participate:

1“I agree to certain sponsors and cooperation partners providing me with information by post or by telephone or by email/SMS about offers from their respective commercial sector. I can determine these myself here; otherwise, the selection is made by the organiser. I can revoke this consent at any time. Further information about this can be found here”
2“I agree to the web analytics service Remintrex being used for me. This has the consequence that, following registration for the lottery, the lottery organiser, Planet49 GmbH, sets cookies, which enables Planet49 to evaluate my surfing and use behaviour on websites of advertising partners and thus enables advertising by Remintrex that is based on a user’s interests. I can delete the cookies again at any time. You can read more about this here.”

Checkbox 2: consent is not valid under the DPD or the GDPR

On the issue of the pre-ticked Checkbox no. 2, the AG is of the view that it does not constitute valid consent, neither under the DPD nor under the GDPR. Consent must be an active and unambiguous behaviour – these conditions are not met in the case of a pre-formulated text which requires a person to actively object to it (i.e. to uncheck the box). More so, consent for placing cookies must be separate and cannot be inferred from other types of user behaviour such as reading a web page, clicking on a button to participate in the lottery or watching a video. In other words, if you did not uncheck box no. 2, but hit the button to participate in the lottery, this last action would signify both consent for cookies and consent for the lottery – which is ambiguous. The same principles regarding consent also apply under the GDPR.

The AG also took the opportunity to provide clarifications on what cookies represent and underlined some useful principles on the topic of placing cookies. Although cookies can be categorised according to their lifespan or the domain they belong to, the AG says that “The validity of consent to the placement of cookies and the applicability of any relevant exemptions, however, should be evaluated based on the purpose of the cookie rather than the technical features.”

Checkbox 1: national court to assess whether participation in the lottery can be conditioned on consent

The AG considers that the national court must assess whether the processing of personal data can be considered necessary for the participation in the lottery. If so, Planet 49 can validly condition the participation on the person’s agreement that their personal data be processed for sending promotional offers. In other words, it could be that obliging users to tick box no. 1 before they can hit the button to participate in the lottery is lawful.

However, we point out that this is not an issue of consent per se. It is quite misleading to ask someone to check a box, as if asking for consent, when the processing of personal data would in fact be necessary for the performance of a contract with the data subject.

Placing cookies and processing personal data

The accessing of data from cookies placed by Planet 49 constitutes processing of personal data – this is an uncontested aspect of the case. Still, the referring national court asks whether, from the standpoint of the ePrivacy Directive requirements on consent, it makes a difference if the information stored or accessed constitutes personal data.

This question seemingly arose because of the way in which the German law transposed the ePrivacy Directive. The German Telemedia Act (TMG) article 15(3) suggested that the requirements on consent under the DPD/GDPR would not apply if the information stored and accessed would not constitute personal data.

The AG clarifies that, under the ePrivacy Directive, the conditions for valid consent (as provided by the DPD/GDPR) apply to any storing and accessing of information on a person’s device, irrespective of such information being personal data or not.

What constitutes clear and comprehensive information about cookies?

What kind of information should have Planet49 provided to users in order to obtain informed consent for placing cookies? The AG says that the functioning of cookies is technically complex and that “the average internet user cannot be expected to have a high level of knowledge of the operation of cookies”.

Clear and comprehensive information on cookies means that the user can “easily determine the consequences of any consent he might give. To that end he must be able to assess the effects of his actions.” From a practical perspective this means that:

  • the user must receive information about the lifespan of the cookies; and
  • whether third parties have access to the cookie information or not (if yes, then such third parties must be identified).

Of course, we underline that points (a) and (b) above must be presented together with the purposes of the cookies. See this presentation by a representative of the Spanish Data Protection Authority on providing information to users about cookies (available in Spanish).

Case-law generated by incorrect transpositions of the ePrivacy Directive?

Just reading the ePrivacy Directive, it is surprising that the German referring Court felt the need to send preliminary questions to the ECJ at all. However, as the AG indicated in para. 109 of its Opinion, “it does appear as if Article 15(3) of the TMG does not fully transpose the requirements of Article 5(3) of Directive 2002/58 into German law” and this is connected to the need for sending a preliminary question on whether it makes a difference under the ePrivacy Directive requirements on consent if the information stored or accessed is personal data.

For example, the Romanian ePrivacy Law “forgot” to transpose an essential detail resulting in the fact that lawyers have to make additional interpretation steps to reach a basic conclusion. Namely, the Romanian ePrivacy Law did not transpose at all the definition of consent which is provided in Art. 2(f) in the ePrivacy Directive and which states that ‘consent’ by a user or subscriber corresponds to the data subject’s consent in Directive 95/46/EC. The Romanian ePrivacy Law merely states as a general provision that it shall be supplemented by the Romanian Data Protection Law (which had in the past transposed the DPD and is presently replaced by the GDPR). Obviously, since the ePrivacy Directive refers to consent in the former DPD, which has been replaced by the GDPR, it follows that consent for cookie placement is the same consent regulated under the GDPR, and that this standard applies even where there is no processing of personal data through those cookies.

Unfortunately, transposition errors such as the one in the Romanian ePrivacy Law and seemingly the one in the German Telemedia Act give rise to debates on issues which should have already been settled.


What’s (not) new about EDPB’s Statement on political campaigns

On 14 March 2019 the EDPB issued a Statement on the use of personal data in the course of political campaigns, following its 8th plenary session. This was supposed to be an important position document in light of the upcoming EU Parliament elections in May, however it left us with even more questions and not one solution.

Just a short recap of what’s been going on in relation to the subject matter:

  • the Cambridge Analytica scandal – really, there’s no need to remind everyone about the details, but you can consult the ICO’s section on the case.
  • There are issues about Member States’ laws regulating the use of personal data for political purposes. See the example of Spain, where the GDPR application law has been approved with an article which raises concerns about collecting personal data from other sources in order to carry out electoral activities. The Spanish DPA states that the law should not be applied as to allow profiling based on political opinions and send personalized communications based on those profiles – however the law was adopted with the problematic provisions in place. This issue was also raised by EU MP Sophia in ‘t Veld and the Commission answered this February that it has contacted the Spanish Minister of Justice to clarify the content of the Spanish legal provisions.
  • In Romania, privacy advocacy NGO ApTI sent a complaint to the Commission indicating problems with the Romanian law which applies the GDPR. These problems include the provisions on processing special categories of data by political parties without the data subjects’ explicit consent (GDPR Art. 9.2.d) – i.e. instead of “legitimate activities” the law says “achieving their objectives” and does not limit the processing just to “members or to former members of the body or to persons who have regular contact with it in connection with its purposes”.

Despite the obvious need for clear guidance, the EDPB Statement is very brief and looks like it was rushed in order to tick a box. Here’s why:

  •  The Statement is an enumeration of general GDPR principles – everyone knows political opinions is a special category of data, subject to GDPR Art. 9 limitations. Also, we know that when you process data from other sources and when you send targeted advertising you still have to comply with the GDPR – already 4 of the 5 points of the Statement are wasted.
  •  We would have found some useful information in the paragraph about decision-making based on automated processing. But here we were struck with an error (which should stop being promoted) about profiling being considered a form of automated decision-making. Profiling is a form of automated processing which can lead to a decision affecting the data subject, not a form of decision-making in itself.
EDPB StatementGDPR Article 21(1)
Solely automated decision-making, including profiling, where the decision legally or similarly significantly affects the individual subject to the decision, is restricted.The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
  • Returning to the issue of significantly affecting the data subject, the EDPB says that “Profiling connected to targeted campaign messaging may in certain circumstances cause ‘similarly significant effects’ and shall in principle only be lawful with the valid explicit consent of the data subject.” How could we identify these circumstances? How do we know when targeted campaigns based on profiling which includes special categories of data are “affecting a person’s vote in an election”?
  • For further research and clarifications, the EDPB sends us to a list of other authorities’ opinions and guidance, in an Annex to its Statement. So if you also know Dutch, French and Polish, you might get the full information.

So it’s back to work as usual with our remaining questions:

  • What constitutes a “similarly significant effect” according to GDPR Art. 22(1) when it comes to electoral campaign targeting?
  • Could political opinions ever actually be used for profiling by political parties without the data subjects’ explicit consent based on Art. 9(2)d)? We believe not, since this would only be limited to members, former members or regular contacts.
  • What information is actually considered to fall in the category of “political opinion” and limit the possibility of data processing? Quite simple and trivial information may lead to conclusions about the person’s political preferences in the context of profiling.

If the GDPR were a supermarket, there’s a big spill in the political purposes isle and the EDPB is sending someone in with a tissue.

Our pro bono work in 2018

Pro bono work and public participation are part of our core organizational values. We try to find time and resources to make data protection better in Romania.

Romanian DPA leadership decided behind closed doors

The Romanian data protection authority (the ANSPDCP) has recently been the subject of worrying developments, and now the authority’s leadership is being decided in a hush-hush manner behind closed doors.

On 20 November 2018, the current President of the ANSPDCP, Mrs. Ancuţa Opre, was nominated for re-appointment by the Social Democratic Party (PSD, of which she used to be a member and which had nominated her also in 2013) and heard in the meeting of the Legal, Appointments, Labor, Immunities and Validations Committee of the Romanian Senate.[1] The hearing took place on Tuesday, at 10 am, with absolutely no prior information provided to the public.

Mrs. Opre was first appointed after being nominated by the Romanian Social Democratic Party on 26 June 2013 for a 5-year term of office[2], in spite of her not having any experience or qualifications related to personal data protection. It seems quite strange that after exceeding her mandate by almost 5 months she would be hurried up for re-appointment in the utmost secrecy, and also without any counter-candidates.

One of the members of the hearing Committee from an opposing party (USR) claims that the scheduling of the hearing was done on the previous Sunday evening, and that the names of the persons proposed for President and Vice-President of the ANSPDCP were not provided to the Committee members in advance.[3]

The GDPR requires the supervisory authorities to be independent, which also means that they must “remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from anybody” (art. 51.2 GDPR). In my view the requirement for the ANSPDCP to be independent is not compatible with the lack of transparency concerning the appointment of the leader of the institution, with the fact that there is no competition whatsoever, not to mention the fact that the appointment is not made based on competencies.

Here is what the law regulating ANSPDCP (Law No. 102/2005, Article 6.2) requires:

The president and the vice-president are politically independent persons with a strong professional competence, including in the field of personal data protection, at least 10 years seniority in the field, a good reputation and high civic probity.

Mrs. Opre had no connection with the field of personal data protection prior to her appointment directly as the president of ANSPDCP in 2013. She ran for a parliamentary term in 2008, on behalf of PSD – the same party that later nominated her in management positions in public authorities, including president of ANSPDCP. Mrs. Opre seldom participates in any data protection conferences or events, and did not publish any articles or papers in the field. And if this wasn’t bad enough, she is undergoing criminal investigation for abuse in office related to her previous appointment as president of the Central Committee for Damages Appraisal within the National Authority for Property Restitution[4].

Take a minute and compare this to Helen Dixon from the Irish Data Protection Commision, Elizabeth Denham from the UK Information Commissioner’s Office, Isabelle Falque-Pierrotin from the French CNIL and many other examples of real leaders in the data protection world, whose voice is well established and sought after by professionals.

In addition to everything else, this scrambling for a highly opaque political decision comes in the midst of an incident which is now famous at the EU level[6] and was dubbed by the Council of Europe as a media freedom alert[7]. A few weeks ago the ANSPDCP led by Mrs. Opre has summoned a well-known journalists’ organization (RISE Project) to disclose their sources and prove (among others) that they provided data subjects with the information required by Art. 13-14 GDPR, in connection to documents published by RISE Project in an investigation which targeted PSD, the very same political party having close ties with Mrs. Opre[8]. The request for answers also mentioned the risk of high fines (20 M Eur), as well as a penalty fine of approx. 640 Eur per day for any delays in providing information. This has happened in spite of the fact that the Romanian GDPR Application Law (no. 190/2018) expressly regulates the journalistic exemption from the GDPR.

The ANSPDCP press releases which followed the RISE Project case[9] do not bring any clarity to how the supervisory authority will apply the journalistic exemption, since in this case the journalists were treated in the same way as any data controller. Moreover, the Authority takes the very simplistic approach that they had received a complaint from a data subject and thus need to investigate, prompting the natural question why they don’t perform any analysis of their own prior to acting upon dubious complaints received. For example, under article 10.3 of ANSPDCP’s procedure for handling complaints they need to verify ex oficio that they are materially competent to handle the complaint, whereas article 7 of the GDPR Implementation Law No. 190/2018 provides that the journalistic exemption applies with regard to the chapter providing the attributions of the DPA (see here the unofficial translation into English of the Romanian GDPR Implementation Law). The Authority also sends out rather standard requests for information to investigated entities, with very little (if any) tailoring to the situation at hand, which is unhelpful and confusing to the recipients of such requests – for example, asking how consent is obtained when the legal basis is different, or asking for proof of informing data subjects when the recipient is a press organisation.

These current events are eroding the trust in the Romanian data protection authority, in a country where that authority did not issue any guidance to help controllers understand and apply data protection rules, and where we see widespread skepticism against the GDPR.

In my view this is a very serious matter that needs to be looked into by the Commission, since it infringes the independence of the Romanian data protection authority and undermines the requirement of Article 55 GDPR that “each supervisory authority shall be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with this Regulation on the territory of its own Member State”.


I’m also very surprised how quiet everyone is on this matter – I did not find any critical piece written by someone in the field, even though the activity of the DPA should concern all of us.

Special thanks are due to Dana Ududec for massively helping out with the research behind this.

Președinta ANSPDCP a primit un nou mandat în fruntea autorității de protecție a datelor

Dna Ancuța Opre, președinta ANSPDCP în mandatul 2013-2018 a fost ieri numită din nou în fruntea autorității române de protecție a datelor. Întreaga procedură de numire s-a desfășurat foarte rapid, iar pentru funcția de președinte dna Opre a fost singura candidată.
La mai puțin de o săptămână de când a fost audiată pe 20 octombrie de Comisia Juridică din Senat, dna Opre a primit raport favorabil de la această comisie și a fost propusă spre numire de către plenul Senatului.

Raportul Comisiei Juridice nu cuprinde nicio indicație cu privire la îndeplinirea criteriilor de independență, competență profesională, bună reputație și înaltă probitate civică impuse de Legea nr. 102/2005 care reglementează funcționarea ANSPDCP. Raportul afirmă pur şi simplu: „Comisia a constatat că doamna Ancuța Geanina Opre îndeplinește condițiile prevăzute de lege”.
În aceeași zi în care Biroul Permanent al Senatului a primit raportul Comisiei Juridice, a și avut loc votul în plen pentru numirea președintelui ANSPDCP. Dna Opre a prezentat realizările sale în acest discurs (transcriere pe baza înregistrărilor video din ședință):
“Multumesc domnule Presedinte. Stimate domnule Presedinte, doamnelor si domnilor senatori, permiteti-mi sa fac o scurta prezentare a activitatii mele in cadrul Autoritatii National pentru Protectia Datelor cu Caracter Personal”. Sunt absolventa a unei institutii de invataman superior juridic, cu o vechime de aproape 16 ani, iar incepand cu anul 2002 imi desfasor activitatea in calitate de conferentiar universitar in mediul universitar. In perioada 2013-2018 activitatea Autoritatii Nationale de Supraveghere a Prelucrarii Datelor cu Caracter Personal s-a concentrat pe indeplinirea rolului sau de garant al apararii dreptului la viata privata, cu privire la protectia datelor cu caracter personal. Incepand din anul 2013, de cand am preluat conducerea Autoritatii Nationale de Supraveghere a Prelucrarii Datelor cu Caracter Personal am urmarit in principal indeplinirea competentelor legale ale autoritatii si implementarea cadrului national necesar aplicarii Regulamentului european pentru protectia datelor. Toate aceste obiective au fost indeplinite si concretizate prin rapoartele de activitate prezentate anual, si de asemenea prin implicarea autoritarii in adoptarea celor doua acte normative necesare aplicarii Regulamentului european, si anume Legea 129/2018 si Legea 190/2018. Dupa adoptarea celor doua legi importante, autoritatea a emis acte normative, decizii cu caracter normativ destinate sa asigure efectiva aplicare a Regulamentului, dupa data de 25 mai 2018. Astfel, a fost publicata in Monitorul Oficial Procedura de solutionare a plangerilor, Formularul de notificare a incalcarilor de securitate a datelor personale, Procedura de efectuare a investigatiilor, si Lista operatiunilor ce implica evaluarea impactului asupra protectiei datelor. In continuare imi propun asigurarea continuitatii, consolidarii capacitatii instituionale si administrative a Autoritatii Nationale pentru Protectia Datelor, intensificarea masurilor de informare a publicului larg si a operatorilor in legatura cu drepturile si principiile de protectia datelor personale, emiterea de decizii cu caracter normativ necesare aplicarii Regulamentului european pentru protectia datelor, si nu in ultimul rand, asigurarea continuitatii de reprezentare a Romaniei in cadrul Comitetului European privind Protectia Datelor, a grupurilor si subgrupurilor de lucru aferente. In final, as dori sa precizez faptul ca, spre deosebire de alte state membre ale Uniunii Europene, Romania se afla printre statele care au adoptat cadrul normativ necesar aplicarii Regulamentului European la timpul potrivit. Va multumesc.”

sursa: (selectaţi “Vizualizaţi” în dreptul şedinţei din 26 noiembrie 2018)
Din senatorii prezenți, nimeni nu a avut întrebări pentru candidată. Votul a fost unul secret electronic, iar rezultatele au fost: 91 senatori prezenți, 63 pentru, 27 contra, 1 abținere.

[RO] Procedura de investigaţii ANSPDCP explicată

ANSPDCP, autoritatea română de protecţia datelor, a publicat Decizia nr. 161/2018, prin care a aprobat procedura de efectuare a investigaţiilor. Textul integral al procedurii este disponibil aici.

Echipa PrivacyOne a analizat procedura şi vă prezintă principalele elemente de avut în vedere într-un Legal Alert dedicat integral acestei teme, diponibil online aici.

Prezentarea conţine:

  • Măsurile pe care le poate dispune ANSPDCP

  • Motivele pentru care pot fi declanşate investigaţii

  • Când, unde şi cum se desfăşoară investigaţiile

  • Drepturile şi obligaţiile pe care le are personalul ANSPDCP

  • Drepturile şi obligaţiile operatorilor de date

  • Modurile în care pot fi contestat e măsurile dispuse

  • Alte aspecte importante legate de Procedura de investigaţii


Romanian DPA adopts DPIA List

The Romanian data protection authority (the ANSPDCP) has adopted the final list of cases which require a data protection impact assessment (DPIA).

The unofficial translation into English of the list, prepared by PrivacyOne, ca be found here.

PrivacyOne has contributed with observations on the draft DPIA list which was previously opened for public debates according to the national transparency regulations. The final list reflects some of the points we raised, such as certain terminology issues.

We underline that the list is only indicative and we recommend data controllers to always refer to the general rules in GDPR Art. 35 every time they need to decide on whether to apply a DPIA with regard to their proposed data procesing operations.

The list, which was adopted through ANSPDCP Decision no. 174/2018 on 18 October 2018 is applicable from 31 October 2018.

[RO] Transferul datelor către grupul băncii în Codul de Conduită ARB

Pe 5 noiembrie 2018 Asociaţia Română a Băncilor a publicat noul său Cod de Conduită, care se referă şi la aspecte de protecţia datelor

Codul stabileşte confidenţialitatea datelor furnizate de clienţi şi obligaţia angajaţilor băncii să protejeze aceste date. Însă, formularea legată de dezvăluirea acestor date personale către entităţi din grupul băncii (secţiunea 2.5 din Cod) poate crea confuzii:

„În vederea oferirii unor servicii de cea mai înaltă calitate, aceste date vor fi accesibile doar angajaților, inclusiv ai societăților din grupul băncilor, sau persoanelor împuternicite de bancă sau entităților autorizate în acest sens prin lege, printr-o hotărâre judecătorească sau de către client”.

Conform GDPR, o astfel de dezvăluire de date personale către alte entităţi din grupul instituţiei de credit trebuie să se bazeze pe unul din temeiurile din art. 6 GDPR (ex. consimţământ, executarea contractului, obligaţie legală).

Presupunând că oferirea unor „servicii de cea mai înaltă calitate” ar fi un interes legitim, este necesară analiza proportionalităţii faţă de atingerea adusă drepturilor şi intereselor persoanelor, iar interesul pur economic nu trece acest test (a se vedea Hotărârea CJUE Google Spain, par. 97).

  •  În niciun caz dezvăluirea nu se poate face pur şi simplu pentru oferirea de alte servicii de către entităţi din grupul băncii.
Mai amintim că băncile, ca operatori de date personale, au obligaţia conform GDPR să informeze persoanele vizate despre destinatarii datelor personale. În cazul în care aceşti destinatari sunt alţi operatori (şi nu împuterniciţi ai băncii), dezvăluirea trebuie să includă chiar denumirea entităţilor respective, iar nu doar categorii.

În final, acest Cod de Conduită nu este unul aprobat în aplicarea art. 40 GDPR şi din acest motiv nu poate fi utilizat de bănci ca element prin care să se demonstreze îndeplinirea cerințelor de securitate a prelucrării datelor personale (art. 32(3) GDPR) sau pe care să se bazeze în realizarea unei evualări de impact asupra protecţiei datelor. (art. 35(8) GDPR).