Category: GDPR

EU Commission publishes Draft Adequacy Decision for South Korea

25. June 2021

On 16 June 2021, the European Commission published the draft adequacy decision for South Korea and transmitted it to the European Data Protection Board (EDPB) for consultation. Thus, the Commission launched the formal procedure towards the adoption of the adequacy decision. In 2017, the Commission announced to prioritise discussions on possible adequacy decisions with important trading partners in East and South-East Asia, starting with Japan and South Korea. The adequacy decision for Japan was already adopted in 2019.

In the past, the Commission diligently reviewed South Korea’s law and practices with regards to data protection. In the course of ongoing negotiations with South Korea, the investigative and enforcement powers of the Korean data protection supervisory authority “PIPC” were strengthened, among other things. After the EDPB has given its opinion, the adequacy decision will need to be approved by a committee composed of representatives of the EU Member States.

The decision of an adequate level of protection pursuant to Art. 45 of the General Data Protection Regulation (GDPR) by the Commission is one of the possibilities to transfer personal data from the EU to a third-country in a GDPR-compliant manner. The adequacy decision will serve as an important addition to the free trade agreement and a strengthening of cooperation between the EU and South Korea. Věra Jourová, the Commission’s Vice-President for Values and Transparency, expressed after launching the formal procedure:

“This agreement with the Republic of Korea will improve the protection of personal data for our citizens and support business in dynamic trade relations. It is also a sign of an increasing convergence of data protection legislation around the world. In the digitalised economy, free and safe data flows are not a luxury, but a necessity.”

Especially in light of the Schrems II decision of the Court of Justice of the European Union, the adequacy decision for South Korea will be an invaluable asset for European and South Korean companies conducting business with each other.

CJEU ruling on One-Stop-Shop mechanism

On June 15th, 2021, the Court of Justice of the European Union (CJEU) ruled that “under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a member state, even though that authority is not the lead supervisory authority”. It grants each supervisory authority the power to bring matters within its supervisory area before the courts. If a non-lead supervisory authority wishes to bring cross-border cases to court, it can do so under the so-called emergency procedure under Article 66 of the GDPR.

The General Data Protection Regulation (GDPR) provides that the data protection authority of the country in which a company has its principal place of business in the EU has primary jurisdiction for cross-border proceedings against such companies (the so-called one-stop-shop principle). Facebook and a number of other international companies have their EU headquarters in Ireland. The Irish data protection authority has been criticised several times for dragging out numerous important cases against tech companies. The CJEU’s ruling is likely to lead to more enforcement proceedings by local data protection authorities.

In 2015 – before the GDPR came into force – the Belgian data protection authority filed a lawsuit in Belgian courts against Facebook’s collection of personal data via hidden tracking tools. These tracking tools even tracked users without Facebook accounts. After the GDPR came into force, Facebook argued that lawsuits against data protection violations could only be filed in Ireland. A court of appeal in Brussels then referred the question to the ECJ as to whether proceedings against Facebook were admissible in Belgium. This has now been confirmed by the ECJ. The Belgian court is now free to make a final decision (please see our blog post).

The CJEU has now ruled that, in principle, the lead data protection authority is responsible for prosecuting alleged GDPR violations if they involve cross-border data processing. The data processing must therefore take place in more than one Member State or have an impact on individuals in several member states. However, it is also specified that the “one-stop-shop” principle of the GDPR obliges the lead authority to cooperate closely with the respective local supervisory authority concerned. In addition, local data protection authorities may also have jurisdiction pursuant to Art. 56 (2) and Art. 66 GDPR. According to the CJEU, if the respective requirements of these provisions are met, a local supervisory authority may also initiate legal proceedings. The CJEU has clarified that actions by non-lead data protection authorities can still be upheld if they are based on the Data Protection Directive, the predecessor of the GDPR.

The EU consumer association BEUC called the ruling a positive development. BEUC Director General Monique Goyens said:

Most Big Tech companies are based in Ireland, and it should not be up to that country’s authority alone to protect 500 million consumers in the EU.

While Facebook’s associate general counsel Jack Gilbert said:

We are pleased that the CJEU has upheld the value and principles of the one-stop-shop mechanism, and highlighted its importance in ensuring the efficient and consistent application of GDPR across the EU.

EDPB adopts final Recommendation 01/2020 on Supplementary Measures for Data Transfers to Third Countries

22. June 2021

On June 21st, 2021 during its 50th plenary session, the European Data Protection Board (EDPB) adopted a final version of its recommendations on the supplementary measures for data transfers.

In its recent judgment C-311/18 (Schrems II) the Court of Justice of the European Union (CJEU) has decided that, while the Standard Contractual Clauses (SCCs) are still a valid data transfer mechanism, controllers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis and where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools. In the cases where the effectiveness of appropriate safeguards is reduced due to the legal situation in the third country, exporters may need to implement additional measures that fill the gaps.

To help exporters with the complex task of assessing third countries and identifying appropriate supplementary measures where needed, the EDPB has adopted this recommendation. They highlight steps to follow, potential information sources as well as non-exhaustive examples of supplementary measures that are meant to help exporters make the right decisions for data transfers to third countries.

The recommendations advise exporters to follow the following steps in order to have a good overview of data transfers and potential supplementary measures necessary:

1. Know the data transfers that take place in your organization – being aware of where data flows is essential to identify potentially necessary supplementary measures;

2. Verify the transfer tool that each transfer relies on and its validity as well as application to the transfer;

3. Assess if a law or a practice in the third country impinges on the effectiveness of the transfer tool;

4. Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard;

5. Take formal procedural steps that may be required by the adoption of your supplementary measure, depending on the transfer tool you are relying on;

6. Re-evaluate the level of protection of the data you transfer at appropriate intervals and monitor any potential changes that may affect the transfer.

The EDPB Chair, Andrea Jelinek, stated that “the effects of Schrems II cannot be underestimated”, and that the “EDPB will continue considering the effects of the Schrems II ruling and the comments received from stakeholders in its future guidance”.

The recommendations clearly highlight the importance of exporters to understand and keep an eye on their data transfers to third countries. In Germany, the Supervisory Authorities have already started (in German) to send out questionnaires to controllers regarding their data transfers to third countries and the tools used to safeguard the transfers. Controllers in the EU should be very aware of the subject of data transfers in their companies, and prepare accordingly.

Belgian DPA approves first EU Data Protection Code of Conduct for Cloud Service Providers

21. June 2021

On May 20th, 2021, the Belgian Data Protection Authority (Belgian DPA) announced that it had approved the EU Data Protection Code of Conduct for Cloud Service Providers (EU Cloud CoC). The EU Cloud CoC is the first transnational EU code of conduct since the entry into force of the EU General Data Protection Regulation in May 2018.

The EU Cloud CoC represents a sufficient guarantee pursuant to Article 28 (1) and 28 (5) of the GDPR, as well as Recital 81 of the GDPR, which makes the adherence to the code by cloud service providers a valid way to secure potential data transfers.

In particular, the EU Cloud CoC aims to establish good data protection practices for cloud service providers, giving data subjects more security in terms of the handling of their personal data by cloud service providers. In addition, the Belgian DPA accredited SCOPE Europe as the monitoring body for the code of conduct, which will ensure that code members comply with the requirements set out by the code.

It further offers cloud service providers with practical guidance and a set of specific binding requirements (such as requirements regarding the use of sub-processors, audits, compliance with data subject rights requests, transparency, etc.), as well as objectives to help cloud service providers demonstrate compliance with Article 28 of the GDPR.

In the press release, the Chairman of the Belgian DPA stated that „the approval of the EU Cloud CoC was achieved through narrow collaboration within the European Data Protection Board and is an important step towards a harmonised interpretation and application of the GDPR in a crucial sector for the digital economy“.

Amazon facing potential record GDPR fine

18. June 2021

Luxembourg’s National Commission for Data Protection, the CNPD, has proposed a $ 425 million (€ 348.7 million) fine against Amazon.com Inc. for alleged GDPR violations, the Wall Street Journal reports. It would be the highest penalty to date under EU data protection law, exceeding the current record penalty of € 50 million against Google LLC.

It is not yet clear to the public what exactly the allegations are since the statements are based on a confidential source. Amazon also declined to comment on the case. The charges are apparently related to Amazon’s data collection and usage practices, but do not involve the Amazon Web Services cloud computing business.

The CNPD is Amazon’s competent data protection authority as the international retail company has its regional headquarters in the Grand Duchy of Luxembourg. According to the Article 64 GDPR procedure, the CNPD submitted its draft decision to data protection authorities of the other EU member states, which will have to approve the sanction before it can be officially imposed. Based on comparable cases in the past, the process could take months and lead to substantive changes, including an increased or reduced fine.

Though the proposed amount would set a record, it is far below the maximum of 4 % of the total worldwide annual turnover of the preceding financial year allowed by Article 83 (5) GDPR. It amounts to only about 0.1 % of Amazon’s annual revenue. As some critics say, this illustrates a pattern of data protection authorities favoring big-tech companies and often reducing large initial proposals after a long deliberation period. Given the companies’ massive incomes, such penalties are easy to recover from and ultimately, they run counter to the preventive purpose of the punishment.

As a result, these companies could soon fall under the terms of the Digital Services Act and the Digital Markets Act, which were proposed by the European Commission at the end of 2020 to upgrade rules governing digital services in the EU. This new set of regulations, which specifically targets tech companies, increases potential fines to 10 % of the global turnover.

New SCCs published by the EU Commission for international data transfers

10. June 2021

On June 4th 2021, the EU Commission adopted new standard contractual clauses (SCC) for international data transfers. The SCCs are model contracts that can constitute a suitable guarantee under Art. 46 of the General Data Protection Regulation (GDPR) for the transfer of personal data to third countries. Third countries are those outside the EU/European Economic Area (EEA), e.g. the USA.

The new clauses were long awaited, as the current standard contractual clauses are more than 10 years old and thus could neither take into account the requirements regarding third country transfers of the GDPR nor the significant Schrems II ruling of July 16th, 2020. Thus, third country transfers had become problematic and had not only recently been targeted by investigations by supervisory authorities, inter alia in Germany.

What is new about the SCCs now presented is above all their structure. The different types of data transfers are no longer spread over two different SCC models, but are found in one document. In this respect, they are divided into four different “modules”. This should allow for a flexible contract design. For this purpose, the appropriate module is to be selected according to the relationship of the parties. The following modules are included in the new SCCs:

Module 1: Transfer of personal data between two controllers.
Module 2: Transfer of personal data from the controller to the processor
Module 3: Transfer of personal data between two processors
Module 4: Transfer of personal data from the processor to the controller

The content of the new provisions also includes an obligation to carry out a data transfer impact assessment, i.e. the obligation to satisfy oneself that the contractual partner from the third country is in a position to fulfil its obligations under the current SCCs. Also newly included are the duty to defend against government requests that contradict the requirements of the standard protection clauses and to inform the competent supervisory authorities about the requests. The data transfer impact assessment must be documented and submitted to the supervisory authorities upon request.

The documents are the final working documents. The official publication of the SCCs in the Official Journal of the European Union took place on June 7th, 2021. From then on and within a period of 18 months until December 27th, 2022, the existing contracts with partners from third countries, in particular Microsoft or Amazon, must be supplemented with the new SCCs.

However, even if the new SCCs are used, a case-by-case assessment of the level of data protection remains unavoidable because the new clauses alone will generally not be sufficient to meet the requirements of the ECJ in the above-mentioned ruling. In such a case-by-case examination, the text of the contract and the actual level of data protection must be examined. The latter should be done by means of a questionnaire to the processor in the third country.

Accordingly, it is not enough to simply sign the new SCC, but the controller must take further action to enable secure data transfer to third countries.

Dutch data protection authority imposes fine of €525,000

Company fails to appoint an EU representative. Dutch data protection authority imposes fine of €525,000.

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) imposed a fine of €525,000 on Locatefamily.com on May 12, 2021. The company failed to comply with its obligation under Article 27 of the EU General Data Protection Regulation, which required the company to appoint a representative in the EU.

The online platform caught the attention of the authorities because it published the contact details (including telephone numbers and addresses) of individuals. In this regard, the Dutch data protection authority stated that data subjects had often not registered for the online platform. In particular, the data subjects did not know how the company had obtained their data.

After numerous complaints from individuals, the data protection authority determined that the online platform had not complied with requests to delete data. It further came to light that the company had no branches in the EU and had not appointed a representative accordingly. This made it almost impossible for data subjects to assert their rights against the company.

Article 27(2)(a) of the GDPR provides that companies not established in the EU that offer goods or services to persons in the EU or monitor the conduct of persons in the EU must designate a representative in the EU. Although exceptions to this are possible, they are narrowly defined.

An exemption may be considered if the processing of personal data is occasional and does not involve the extensive processing of sensitive personal data or the processing of personal data in connection with criminal convictions and offenses. The processing must also not, taking into account the nature, context, scope and purposes of the processing, result in a risk to the rights and freedoms of natural persons.

As no exceptional case existed in the assessment of the Dutch data protection authority, the company imposed a fine in the amount of €525,000 on Locatefamily.com. To avoid further penalties, the company was to appoint an EU representative by a certain deadline.

High Court dismisses Facebook’s procedural complaints in Data Transfer Case

18. May 2021

On Friday, May 14th 2021, the Irish High Court dismissed all of Facebook’s procedural complaints in a preliminary decision from Ireland’s Data Protection Commission regarding data transfers from the EU to the U.S. It rejected Facebook’s claims that the privacy regulator had given it too little time to respond or issued a judgment prematurely.

If finalized, the preliminary decision could force the social-media company to suspend sending personal information about EU users to Facebook’s servers in the U.S. While the decision of the High Court was only a procedural one, experts warn that the logic in Ireland’s provisional order could apply to other large tech companies that are subject to U.S. surveillance laws. This could potentially lead to a widespread disruption of trans-Atlantic data flows.

Facebook addressed the preliminary decision, stating that Friday’s court decision was procedural and that it planned to defend its data transfers before the Irish Data Protection Commission (DPC). It added that the regulator’s preliminary decision could be “damaging not only to Facebook, but also to users and other businesses.”

However, the Irish DPC still needs to finalize its draft decision ordering a suspension of data transfers and submit it to other EU privacy regulators for approval before it comes into effect. That process could take months, not counting potential other court challenges by Facebook.

Portuguese DPA Orders Suspension of U.S. Data Transfers by National Institute of Statistics

29. April 2021

On April 27, 2021, the Portuguese Data Protection Authority “Comissão Nacional de Proteção de Dados” (CNPD) ordered the National Institute of Statistics (INE) to suspend any international data transfers of personal data to the U.S., as well as other countries without an adequate level of protection, within 12 hours.

The INE collects different kinds of data from Portuguese residents from 2021 Census surveys and transfers it to Cloudfare, Inc. (Cloudfare), a service provider in the U.S. that assists the surveys’ operation. EU Standard Contractual Clauses (SCCs) are in place with the U.S. service provider to legitimize the data transfers.

Due to receiving a lot of complaints, the CNPD started an investigation into the INE’s data transfers to third countries outside of the EU. In the course of the investigation, the CNDP concluded that Cloudfare is directly subject to U.S. surveillance laws, such as FISA 702, for national security purposes. These kinds of U.S. surveillance laws impose a legal obligation on companies like Cloudfare to give unrestricted access to personal data of its customers and users to U.S. public authorities without informing the data subjects.

In its decision to suspend any international data transfers of the INE, the CNPD referred to the Schrems II ruling of the Court of Justice of the European Union. Accordingly, the CNPD is if the opinion that personal data transferred to the U.S. by the INE was not afforded a level of data protection essentially equivalent to that guaranteed under EU law, as further safeguards have to be put in place to guarantee requirements that are essentially equivalent to those required under EU law by the principle of proportionality. Due to the lack of further safeguards, the surveillance by the U.S. authorities are not limited to what is strictly necessary, and therefore the SCCs alone do not offer adequate protection.

The CNPD also highlighted that, according to the Schrems II ruling, data protection authorities are obliged to suspend or prohibit data transfers, even when those transfers are based on the European Commission’s SCCs, if there are no guarantees that these can be complied with in the recipient country. As Cloudfare is also receiving a fair amount of sensitive data n relation to its services for the INE, it influenced the CNDP’s decision to suspend the transfers.

Irish DPC launches investigation into Facebook data leak

26. April 2021

On April 14th, 2021, Ireland’s Data Protection Commission (DPC) announced it launched an investigation into Facebook’s data leak reported earlier this month (please see our blog post here). The inquiry was initiated on the Irish DPC’s own volition according to section 110 of the Irish Data Protection Act. It comes after a dataset of 533 million Facebook users worldwide was made available on the internet.

The Irish DPC indicated in a statement that, “having considered the information provided by Facebook Ireland regarding this matter to date, the DPC is of the opinion that one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data”. The Irish DPC further stated that they had engaged with Facebook Ireland in relation to this reported issue, raising queries in relation to GDPR compliance, to which Facebook Ireland furnished a number of responses.

The launch of an investigation by the Irish authorities is significant due to the fact that Ireland remains home to Facebook’s European headquarters. This means the Irish DPC would act as the lead regulator within the European Union on all matters related to it. However, Ireland’s data watchdog has faced criticism from privacy advocates for being too slow with its GDPR investigations into large tech companies. In fact, the inquiry comes after the European Commission intervened to apply pressure on Ireland’s data protection commissioner.

Facebook’s statement on the inquiry has been shared through multiple media, and it has announced that Facebook is “cooperating fully with the DPC in its enquiry, which relates to features that make it easier for people to find and connect with friends on our services. These features are common to many apps and we look forward to explaining them and the protections we have put in place.”

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 19 20 21 Next
1 2 3 4 21