Category: European Union
23. March 2022
In a legal dispute that has been ongoing since 2020, the Polish Commissioner for Human Rights recently stated that the disclosure of land register numbers can lead to obtaining a large amount of personal data contained in the registers. In his opinion, general access to such detailed data harms and significantly restricts the informational autonomy of individuals.
The Commissioner’s view confirms the position of the Polish Data Protection Authority, which, in an administrative decision dated August 24th, 2020, ordered the Polish General Surveyor to cease making land register numbers available on the website “GEOPORTAL2”. He also imposed a fine of PLN 100,000 for violating the principle of lawfulness under Articles 5 para. 1 lit. a, 6 para. 1 GDPR, as there was no legal basis for the processing.
The decision was justified by the fact that land register numbers allow indirect identification of property owners and are therefore considered personal data. Moreover, the publication of these enables access to further data such as national ID number or property address. This may lead to a variety of dangers associated with the use of such data, in particular identity theft or impersonation for criminal purposes.
This opinion was also held by the Polish Voivodeship Administrative Court in Warsaw, which on May 5th, 2021, dismissed the Surveyor’s complaint against the decision of the Polish Data Protection Authority.
16. March 2022
On March 15th, 2022, the Irish Data Protection Commission (DPC) has imposed a fine on Meta Platforms 17 million euros over a series of twelve data breaches, which happened from June to December 2018.
The inquiry of the DPC which led to this decision examined the extent to which Meta Platforms complied with the requirements of Arti. 5(1)(f), Art. 5(2), Art. 24(1) and Art. 32(1) GDPR in relation to the processing of personal data relevant to the twelve breach notifications.
As the result of this inquiry, the DPC found that Meta Platforms infringed Art. 5(2) and 24(1) GDPR. In particular, the DPC assessed that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect the data of its European users in the case of those twelve data breaches.
The processing under examination constituted a “cross-border” processing, and as such the DPC’s decision was subject to the co-decision-making process outlined in Art. 60 GDPR. This resulted in all of the other European supervisory authorities to be engaged in this decision as co-decision-makers. While objections to the DPC’s draft decision were raised by two of the European supervisory authorities, consensus was achieved through further engagement between the DPC, and the supervisory authorities concerned.
“Accordingly, the DPC’s decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU,” the DPC stated in their press release.
A Meta spokesperson has commented on the decision, stating, “This fine is about record keeping practices from 2018 that we have since updated, not a failure to protect people’s information. We take our obligations under the GDPR seriously and will carefully consider this decision as our processes continue to evolve.”
25. January 2022
The European Data Protection Supervisor (EDPS) ruled that the European Parliament (EP) offended against a judgement of the European Court of Justice (ECJ) by transferring data to the US using US origin tech tools on their website for COVID-19 tests. This judgement relies on a complaint that involves misleading cookie banners, uncertain data privacy statements and unlawful data transfers from the EU to the US.
The ECJ makes clear that the transfer of personal data from the EU to the US is topic of strict conditions. Websites can only transfer data to the US if a certain security level is given. In this case there was not such a security level available.
The misleading cookie banners were so vague that the cookies were not listed in total and some differences between language options became appearent. Therefore, the website users could not give their valid consent.
Furthermore, the data privacy information were not clear and transparent, in that they refer to an incorrect legal basis for the processing. The given references were also in violation of transperency and requests of information.
Even during the process the EP tried to improve the technical deficits.
The EDPS issued a caution because in contrast to national data protection authorities it can only sentence under certain conditions, which were not given in this case. In result, it imposed a cease and desist order with a one month deadline for the EP to adjust the compliance.
13. January 2022
Shortly after the European Data Protection Supervisor (EDPS) had notified EU’s Agency for Law Enforcement Cooperation (Europol) of the order restricting data collection practices, the agency strongly objected. We have already reported on the decision setting a retention period of six months for all datasets submitted to the agency.
Europol is concerned that the order will harm investigations, as the agency typically needs to retain data for longer than six months to effectively fight against evils such as terrorism and child abuse. It was precisely the past practices that also enabled the EU arresting numerous of drug traffickers and suspected criminals.
EU’s Commissioner for Home Affairs, Ylva Johansson, agreed with the concern, arguing that it would jeopardize criminal investigations if law enforcement agencies have to start disposing of the data they have collected. She stated that
the potential risk of the decision is huge. If a member state or national police cannot use Europol to help with the analysis of big data … then they will be blind because a lot of national police forces do not have the capacity to deal with this big data.
According to critical comment, law enforcement and security agencies should be given better access to citizens’ data. Johansson advocates this as well. Europol’s powers to process large datasets could soon be strengthened as part of a reform of its mandate. However, this intention also meets with criticism, as Chloé Berthélémy of the European Digital Rights NGO expresses:
The EDPS has taken a critical step today to finally end Europol’s unlawful processing of data … Unfortunately, the reform of Europol to be adopted soon … will reverse all these efforts as it is set to legalize the very same practices that undermine data protection and fair trial rights.
12. January 2022
On January 3rd, 2022, the European Data Protection Supervisor (EDPS) notified the EU’s Agency for Law Enforcement Cooperation (Europol) of an order to delete data of individuals who have not been linked to a crime or a criminal activity. This decision, dated December 21st, 2021, marks the conclusion of EDPS’ investigation launched in 2019.
The own-initiative inquiry concerned Europol’s processing of personal data in large datasets for the purpose of strategic and operational analysis (referred to as Europol’s Big Data Challenge). The investigation revealed non-compliance with the data protection rules laid down in the Europol Regulation (ER), especially the principles of data minimization (Article 28 (1) (c) ER) and data retention (Article 28 (1) (e) ER).
Article 18 (2) (b), (c), (5) and Annex II. B. (1), (3) ER limit the categories of data subjects about whom Europol can process data for the aforementioned purposes to ‘suspects’, ‘potential future criminals’, ‘contacts and associates’, ‘victims’, ‘witnesses’ and ‘informants’. To meet this requirement, large datasets must undergo a process of filtering and extraction called Data Subject Categorization (DSC). Therefore, processing of datasets lacking the DSC should be limited to the shortest time necessary to materially proceed to such categorization. This is important to ensure that processing of data of persons, whose link to crimes has not been established, ceases as soon as possible. It is justified by the fact that in particular the continued storage poses a risk to fundamental rights of these individuals.
EDPS then admonished Europol and urged it to take all necessary and appropriate measures to mitigate the risks for individuals arising from such data processing activities. For this purpose, Europol was also advised to establish an action plan and inform EDPS thereof.
Although Europol has taken some action since then, it has not established an appropriate retention period for the datasets without DSC. As a consequence, the EDPS has decided to impose a retention period of 6 months for all datasets submitted to Europol by EU Member States as of January 4th, 2022, which should allow the filtering and extraction of the permitted personal data. Datasets that do not undergo DSC during this period must be deleted. The EDPS has also given Europol a period of 12 months to comply with the decision for the datasets previously received. Should this period elapse before the datasets undergo DSC, they must be deleted as well.
30. December 2021
On December 17th, 2021, the European Commission (Commission) announced in a statement it had adopted an adequacy decision for the transfer of personal data from the European Union (EU) to the Republic of Korea (South Korea) under the General Data Protection Regulation (GDPR).
An adequacy decision is one of the instruments available under the GDPR to transfer personal data from the EU to third countries that ensure a comparable level of protection for personal data as the EU. It is a Commission decision under which personal data can flow freely and securely from the EU to the third country in question without any further conditions or authorizations being required. In other words, the transfer of data to the third country in question can be handled in the same way as the transfer of data within the EU.
This adequacy decision allows for the free flow of personal data between the EU and South Korea without the need for any further authorization or transfer instrument, and it also applies to the transfer of personal data between public sector bodies. It complements the Free Trade Agreement (FTA) between the EU and South Korea, which entered into force in July 2011. The trade agreement has led to a significant increase in bilateral trade in goods and services and, inevitably, in the exchange of personal data.
Unlike the adequacy decision regarding the United Kingdom, this adequacy decision is not time-limited.
The Commission’s statement reads:
The adequacy decision will complement the EU – Republic of Korea Free Trade Agreement with respect to personal data flows. As such, it shows that, in the digital era, promoting high privacy and personal data protection standards and facilitating international trade can go hand in hand.
In South Korea, the processing of personal data is governed by the Personal Information Portection Act (PIPA), which provides similar principles, safeguards, individual rights and obligations as the ones under EU law.
An important step in the adequacy talks was the reform of PIPA, which took effect in August 2020 and strengthened the investigative and enforcement powers of the Personal Information Protection Commission (PIPC), the independent data protection authority of South Korea. As part of the adequacy talks, both sides also agreed on several additional safeguards that will improve the protection of personal data processed in South Korea, such as transparency and onward transfers.
These safeguards provide stronger protections, for example, South Korean data importers will be required to inform Europeans about the processing of their data, and onward transfers to third countries must ensure that the data continue to enjoy the same level of protection. These regulations are binding and can be enforced by the PIPC and South Korean courts.
The Commission has also published a Q&A on the adequacy decision.
16. December 2021
On December 2nd, EU Advocate General Richard de la Tour published an opinion in which he stated that EU member states may allow consumer protection associations to bring representative actions against infringements of rights that data subjects derive directly from the General Data Protection Regulation (“GDPR”). In doing so, he agrees with the legal opinion of the Federation of the Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (Federation of German Consumer Organisations (“vzbv”)), which has filed an action for an injunction against Facebook in German courts for non-transparent use of data.
The lawsuit of the vzbv is specifically about third-party games that Facebook offers in its “App Center”. In order to play games like Scrabble within Facebook, users must consent to the use of their data. However, Facebook had not provided information about the use of the data in a precise, transparent and comprehensible manner, as required by Article 13 GDPR. The Federal Court of Justice in Germany (“Bundesgerichtshof”) already came to this conclusion in May 2020, but the Bundesgerichtshof considered it unclear whether associations such as the vzbv have the legal authority to bring data protection violations to court. It argues, inter alia, that it can be inferred from the fact that the GDPR grants supervisory authorities extended supervisory and investigatory powers, as well as the power to adopt remedial measures, that it is primarily the task of those authorities to monitor the application of the provisions of the Regulation. The Bundesgerichtshof therefore asked the Court of Justice of the European Union (“CJEU”) to interpret the GDPR. The Advocate General now affirms the admissibility of such an action by an association, at least if the EU member state in question permits it. The action for an injunction brought by the vzbv against Facebook headquarters in Ireland is therefore deemed admissible by the EU Advocate General.
The Advocate General states, that
the defence of the collective interests of consumers by associations is particularly suited to the objective of the General Data Protection Regulation of establishing a high level of personal data protection.
The Advocate General’s Opinion is not legally binding on the CJEU. The role of the Advocate General is to propose a legal solution for the cases to the CJEUin complete independence. The judges of the Court will now begin their consultations in this case.
10. December 2021
The online clothing sales website vinted.com, operated by the Lithuanian company Vinted UAB, has recently had to face a large number of complaints regarding data protection aspects. The appeals were addressed to several national supervisory authorities, which, as a result, joined forces to investigate the website’s overall compliance with the GDPR. To this end, a task force was established, supported by the European Data Protection Board (EDPB), which held its first meeting on November 8th, 2021.
Vinted’s headquarters are located in Lithuania, which makes the State Data Protection Inspectorate (Lithuanian data protection authority) the leading supervisory authority. However, the platform is available in several other countries in Europe, whose supervisory authorities also received the aforementioned complaints. For this reason, the establishment of the task force was jointly decided by the national supervisory authorities from France, Lithuania and Poland. The aim of this task force is to ensure a coordinated approach to resolving the complaints received. It shall also enable a consistent and efficient examination of the compliance of Vinted’s data processing practices with the provisions of the GDPR.
The investigations focus in particular on the following issues:
- website operator’s requirement to upload a scan of the user’s identity card in order to unblock funds received from sales on the corresponding account and the relevant legal basis,
- procedure and criteria for blocking the user’s account and
- applicable data retention periods.
This is not the first time Vinted has been accused of controversial practices. Back on May 18th, 2021, the French consumers group UFC Que Choisir filed a class-action lawsuit with 16 million users against the company for “misleading business practices.” These are said to consist of charging an allegedly optional commission on every transaction, the amount of which only appears at the time of payment.
25. November 2021
The EU Commission is working on a legislative package to combat child abuse, which will also regulate the exchange of child pornography on the internet. The scope of these regulations is expected to include automated searches for private encrypted communications via messaging apps.
When questioned, Olivier Onidi, Deputy Director General of the Directorate-General Migration and Home Affairs at the European Commission, said the proposal aims to “cover all forms of communication, including private communication”.
The EU Commissioner of Home Affairs, Ylva Johansson, declared the fight against child sexual abuse to be her top priority. The current Slovenian EU Council Presidency has also declared the fight against child abuse to be one of its main priorities and intends to focus on the “digital dimension”.
In May 2021, the EU Commission, the Council and the European Parliament reached a provisional agreement on an exemption to the ePrivacy Directive that would allow web-based email and messaging services to detect, remove, and report child sexual abuse material. Previously, the European Electronic Communications Code (EECC) had extended the legal protection of the ePrivacy Directive to private communications related to electronic messaging services. Unlike the General Data Protection Regulation, the ePrivacy Directive does not contain a legal basis for the voluntary processing of content or traffic data for the purpose of detecting child sexual abuse. For this reason, such an exception was necessary.
Critics see this form of preventive mass surveillance as a threat to privacy, IT security, freedom of expression and democracy. A critic to the agreement states:
This unprecedented deal means all of our private e-mails and messages will be subjected to privatized real-time mass surveillance using error-prone incrimination machines inflicting devastating collateral damage on users, children and victims alike.
However, the new legislative initiative goes even further. Instead of allowing providers of such services to search for such content on a voluntary basis, all providers would be required to search the services they offer for such content.
How exactly such a law would be implemented from a technical perspective will probably not be clear from the text of the law and is likely to be left up to the providers.
One possibility would be that software checks the hash of an attachment before it is sent and compares it with a database of hashes that have already been identified as illegal once. Such software is offered by Microsoft, for example, and such a database is operated by the National Center of Missing and Exploited Children in the United States. A hash is a kind of digital fingerprint of a file.
Another possibility would be the monitoring technology “client-side scanning”. This involves scanning messages before they are encrypted on the user’s device. However, this technology has been heavily criticized by numerous IT security researchers and encryption software manufacturers in a joint study. They describe CSS as a threat to privacy, IT security, freedom of expression and democracy, among other things because the technology creates security loopholes and thus opens up gateways for state actors and hackers.
The consequence of this law would be a significant intrusion into the privacy of all EU citizens, as every message would be checked automatically and without suspicion. The introduction of such a law would also have massive consequences for the providers of encrypted messaging services, as they would have to change their software fundamentally and introduce corresponding control mechanisms, but without jeopardizing the security of users, e.g., from criminal hackers.
There is another danger that must be considered: The introduction of such legally mandated automated control of systems for one area of application can always lead to a lowering of the inhibition threshold to use such systems for other purposes as well. This is because the same powers that are introduced in the name of combating child abuse could, of course, also be introduced for investigations in other areas.
It remains to be seen when the relevant legislation will be introduced and when and how it will be implemented. Originally, the bill was scheduled to be presented on December 1st, 2021, but this item has since been removed from the Commission’s calendar.
27. October 2021
As COVID-19 vaccination campaigns are well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information (vaccinated, recovered, test result) and, if so, how that information may be used.
COVID-19 related information, such as vaccination status, whether an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data. However, the question of whether COVID-19-related data may be processed by an employer is evaluated differently, even in the context of the same data protection regime such as the GDPR.
The following discusses whether employers in various European Economic Area (EEA) countries are permitted to process COVID-19-related information about their employees.
Austria: The processing of health data in context of the COVID-19 pandemic can be based on Article 9 (2) (b) of the GDPR in conjunction with the relevant provisions on the duty of care (processing for the purpose of fulfilling obligations under labor and social law). Under Austrian labor law, every employer has a duty of care towards its employees, which also includes the exclusion of health hazards in the workplace. However, this only entitles the employer to ask the employee in general terms whether he or she has been examined, is healthy or has been vaccinated. Therefore, if the legislator provides for two other equivalent methods to prove a low epidemiological risk in addition to vaccination, the current view of the data protection authority is that specific questioning about vaccination status is not possible from a data protection perspective. An exception to this is only to be seen in the case of an explicit (voluntary) consent of the employee (Art. 9 (2) a) GDPR), but a voluntary consent is not to be assumed as a rule due to the dependency relationship of the employee.
As of November, employees will be obliged to prove whether they have been vaccinated, recovered from a COVID-19 infection or recently tested negative if they have physical contact with others in enclosed spaces, such as the office.
Belgium: In Belgium, there is no legal basis for the processing of vaccination information of employees by their employer. Article 9 (1) GDPR prohibits the processing of health data unless an explicit exception under Article 9 (2) GDPR applies. Such an exception may be a legal provision or the free and explicit consent of the data subject. Such a legal provision is missing and in the relationship between employee and employer, the employee’s consent is rarely free, as an employee may be under great pressure to give consent. The Belgian data protection authority also explicitly denies the employer’s right to ask.
Finland: The processing of an employee’s health data is only permitted if it is directly necessary for the employment relationship. The employer must carefully verify whether this necessity exists. It is not possible to deviate from this necessity by obtaining the employee’s consent. The employer may process an employee’s health data if this is necessary for the payment of sick pay or comparable health-related benefits or to establish a justified reason for the employee’s absence. The processing of health data is also permitted if an employee expressly requests that his or her ability to work be determined on the basis of health data. In addition, the employer is entitled to process an employee’s health data in situations expressly provided for elsewhere in the Act. The employer may request from occupational health care statistical data on the vaccination protection of its employees.
France: Since July 21st, 2021, a “health passport” is mandatory for recreational and cultural facilities frequented by more than 50 people, such as theaters, cinemas, concerts, festivals, sports venues. The health passport is a digital or paper-based record of whether a person has been vaccinated, recovered within 11 days to 6 months, or tested negative within 48 hours. There are several workplaces where vaccination has been mandatory for workers since August 30th, 2021. These include bars, restaurants, seminars, public transport for long journeys (train, bus, plane). The health passport is also mandatory for the staff and visitors of hospitals, homes for the elderly, retirement homes, but not for patients who have a medical emergency. Also, visitors and staff of department stores and shopping malls need to present a health pass in case the prefect of the department decided this necessary. In these cases, the employer is obliged to check if his employees meet their legal obligations. However, the employer should not copy and store the vaccination certificates, but only store the information whether an employee has been vaccinated. Employers who do not fall into these categories are not allowed to process their employees’ vaccination data. In these cases, only occupational health services may process this type of information, but the employer may not obtain this information under any circumstances. At most, he may obtain a medical opinion on whether an employee is fit for work.
Germany: Processing of COVID-19 related information is generally only permitted for employers in certain sectors. Certain employers named in the law, such as in §§ 23a, 23 Infection Protection Act (IfSG), employers in certain health care facilities (e.g. hospitals, doctors’ offices, rescue services, ) and § 36 (3) IfSG, such as day care centers, outpatient care services, schools, homeless shelters or correctional facilities, are allowed to process the vaccination status of their employees. Other employers are generally not permitted to inquire about the vaccination status of employees. If allowed to process their employee’s vaccination status, employers should not copy the certificates but only check whether an employee is vaccinated. Although there has been an ongoing discussion in the federal government for several weeks about introducing a legal basis that would allow all employers to administer vaccination information. From November 2021, employers must check whether an employee who has been sanctioned with a quarantine due to a COVID-19 infection was or could have been vaccinated prior to the infection. According to Section 56 (1) sentence 4 IfSG, there is no entitlement to continued payment of remuneration for the period of quarantine if the employee could have avoided the quarantine, e.g. by taking advantage of a vaccination program. The employer must pay the compensation on behalf of the competent authority. As part of this obligation to pay in advance, the employer is also obliged to check whether the factual requirements for the granting of benefits are met. The employer is therefore obliged to obtain information on the vaccination status of its employee before paying compensation and, on this basis, to decide whether compensation can be considered in the individual case. The data protection basis for this processing activity is Section 26 (3) of the German Federal Data Protection Act (BDSG), which permits the processing of special categories of personal data – if this is necessary for the exercise of rights or the fulfillment of legal obligations arising from labor law, social security law and social protection law, and if there is no reason to assume that the data subjects’ interest in the exclusion of the processing, which is worthy of protection, outweighs this. The Data Protection Conference, an association of German data protection authorities, states that processing the vaccination status of employees on the basis of consent is only possible if the consent was given voluntarily and therefore legally effective, Section 26 (3) sentence 2 and (2) BDSG. Due to the relationship of superiority and subordination existing between employer and employee, there are regularly doubts about the voluntariness and thus the legal validity of the employees’ consent.
Italy: Since October 15, Italy has become the first country in the EEA to require all workers to present a “green passport” at the workplace. This document records whether a person has been vaccinated, recovered, or tested. A general vaccination requirement has been in effect for health care workers since May, and employees in educational institutions have been required to present the green passport since September.
Netherlands: Currently, there is no specific legislation that allows employers to process employee immunization data. Only the occupational health service and company doctors are allowed to process immunization data, for example when employees are absent or reintegrated. The Minister of Health, Welfare and Sport has announced that he will allow the health sector to determine the vaccination status of its employees. He also wants to examine whether and how this can be done in other work situations. Currently, employers can only offer voluntary testing in the workplace, but are not allowed to document the results of such tests or force
Spain: Employers are allowed to ask employees if they have been vaccinated, but only if it is proportionate and necessary for the employer to fulfill its legal obligation to ensure health and safety in the workplace. However, employees have the right to refuse to answer this question. Before entering the workplace, employees may be asked to provide a negative test or proof of vaccination if the occupational health and safety provider deems it necessary for the particular workplace.
Pages: Prev 1 2 3 4 5 6 7 8 Next 
