CJEU Advocate General’s opinion on GDPR’s One-Stop-Shop mechanism

26. January 2021

On January 13, 2021, the Advocate General (“AG”) of the Court of Justice of the European Union (“CJEU”) published an opinion in the case of Facebook Ireland Limited, Facebook INC, Facebook Belgium BVBA v the Belgian Data Protection Authority “Gegevensbeschermingsautoriteit” (“Belgian DPA”), addressing the General Data Protection Regulation’s (“GDPR”) One-Stop-Shop mechanism.

In 2015, the Belgian DPA initiated several legal proceedings against Facebook Group members in local courts. The allegation was that Facebook placed cookies on devices of Belgian users without their consent, thereby collecting data in an excessive manner. Facebook argued that with the GDPR becoming applicable in 2018, the Belgian DPA lost its competence to continue the legal proceedings, as Facebook’s lead supervisory authority under the GDPR is the Irish Data Protection Commission. The Belgian Court of Appeal referred several questions to the CJEU, including whether the GDPR’s One-Stop-Shop regime prevented national DPA’s from initiating proceedings in the national courts when it is not the lead DPA.

The AG responded that, in his opinion, the lead DPA has the general jurisdiction over cross-border data processing, while a national DPA may exceptionally bring proceedings before its own national courts. The national DPA’s right is subject to the One-Stop-Shop regime and cooperation and consistency mechanism of the GDPR. Thus, each national DPA has the competence to initiate proceedings against possible infringements affecting its territory, the significant regulatory role of the lead DPA limits this competence with respect to cross-border data processing.

One of the concerns expressed by the Belgian DPA was the risk of insufficient enforcement if only lead DPA’s may act against organizations that do not comply with the GDPR. In this regard, the GA emphasizes that Art. 61 GDPR specifically provides for appropriate mechanisms to address such concerns. National DPA’s have the possibility to ask the lead DPA for assistance in investigations, and if such assistance is not provided, the national DPA concerned may take action itself.

In certain circumstances, the AG sees the possibility for national DPAs not acting as lead DPA to initiate proceedings before their national court, if

  • the DPA is acting outside of the material scope of the GDPR; e.g., because the processing does not involve personal data;
  • cross-border data processing is carried out by public authorities, in the public interest, or to comply with legal obligations;
  • the processor is not established in the EU;
  • there is an urgent need to act to protect the rights and freedoms of data subjects (Art. 66 GDPR);
  • the lead DPA has decided not to process a case.

With regards to data subjects, the AG notes that data subjects can bring action against any controller or processor before the court of their Member State and may file a complaint with their Member State’s DPA, regardless of which Member State’s DPA is the lead DPA.

The AG’s opinion is not legally binding on the CJEU, although the CJEU will take it into account. A final judgment of the CJEU is expected in the coming months. Thereafter, the Belgian Court of Appeal will have to decide its case in accordance with the CJEU’s judgment. The CJEU’s decision will most likely have a lasting impact on the division of roles between lead DPAs and other national DPAs, as well as on the ability of national DPAs to take enforcement actions into their own hands.

WhatsApp’s privacy policy update halted

22. January 2021

Already at the beginning of December 2020, first indications came up signaling that WhatsApp will change its terms of service and privacy policy. Earlier this year, users received the update notice when launching the app on their device. It stated that the new terms concern additional information on how WhatsApp processes user data and how businesses can use Facebook hosted services to store and manage their WhatsApp chats. The terms should be accepted by February 8th, 2021, to continue using the chat service. Otherwise, the deletion of the account was suggested, because it will not be possible to use WhatsApp without accepting the changes. The notice has caused all sorts of confusion and criticism, because it has mistakenly made many users believe that the agreement allows WhatsApp to share all collected user data with company parent Facebook, which had faced repeated privacy controversies in the past.

Users’ fears in this regard are not entirely unfounded. As a matter of fact, outside the EU, WhatsApp user data has already been flowing to Facebook since 2016 – for advertising purposes, among other things. Though, for the EU and the United Kingdom, other guidelines apply without any data transfer.

The negative coverage and user reactions caused WhatsApp to hastily note that the changes explicitly do not affect EU users. Niamh Sweeney, director of policy at WhatsApp, said via Twitter that it remained the case that WhatsApp did not share European user data with Facebook for the purpose of using this data to improve Facebook’s products or ads.

However, since the topic continues to stir the emotions, WhatsApp felt compelled to provide clarification with a tweet and a FAQ. The statements make it clear once again that the changes are related to optional business features and provide further transparency about how the company collects and uses data. The end-to-end encryption, with which chat content is only visible to the participating users, will not be changed. Moreover, the new update does not expand WhatsApp’s ability to share data with Facebook.

Nevertheless, despite all efforts, WhatsApp has not managed to explain the changes in an understandable way. It has even had to accept huge user churn in recent days. The interest in messenger alternatives has increased enormously. Eventually, the public backlash led to an official announcement that the controversial considered update will be delayed until May 15th, 2021. Due to misinformation and concern, users shall be given more time to review the policy on their own in order to understand WhatsApp’s privacy and security principles.

German online shop receives fine of 10.4 mio. Euro for unlawful video surveillance

13. January 2021

The State Commissioner for Data Protection of Niedersachsen (“LfD Niedersachsen) has imposed a fine of 10.4 mio. Euro on notebooksbilliger.de AG, a German online shop for notebooks.

According to the press release of the LfD Niedersachsen, dated 08.01.2021, notebooksbilliger.de had been video-monitoring its employees for at least two years, including  workplaces, sales rooms, warehouses and common areas, without a legal basis. Customers were also affected by the video surveillance, as some cameras were directed at seats in the sales area of the stationary stores.

Notebooksbilliger.de claimed that the cameras were intended to prevent and solve crimes and offences as well as track the flow of goods in the warehouses. In the opinion of the LfD Niedersachsen, a company must consider milder measures to prevent thefts such as random bag checks of the employees when leaving the premises. Moreover, video surveillance is only considered lawful, if there is reasonable suspicion against specific persons and only for a limited period of time. This was not the case at notebooksbilliger as the authority investigated. Additionally, the recordings of the video surveillance were stored for 60 days in many cases, which was significantly longer than necessary.

In the meantime, notebooksbilliger.de had set up the video surveillance lawfully and had proven that to the LfD Niedersachsen.

The fine is not yet legally binding. The company has appealed the fine and published a statement in this regard on its homepage. Notebooksbilliger.de considers the amount of the fine to be disproportionate to the financial strength of the company and defends itself against the statement that it systematically monitored the performance and behavior of its employees. According to the statement, the video system was at no time designed to monitor the behavior of employees or their performance. Futhermore, despite several invitations by notebooksbilliger.de, no one of the authority had spoken to employees in the company’s warehouses or dispatch centers.

Apple launched higher data protection standard

Already announced in Apples Worldwide Developers Conference last June a new privacy feature for Apple’s App Store has now been launched with iOs 14.3 (we reported). Originally iOs 14 should have had these update, but based on critic of app developers and big tech giants the launch has been postponed to give the concerned persons and companies more time to be prepared for the changes.

The update requires the App providers to answer several questions regarding data privacy. The requirement to answer the questions only apply in case an app is uploaded to the App Store for the first time or in case an update is published by the App provider. So at this point, not many apps come up with this additional information. However, Apple’s own apps and for example the Facebook Messenger have already been updated regarding this information.

The process is as follows: In the course of uploading an app or update the provider must answer questions regarding inter alia which categories of personal data are collected by the app or third parties within the app, if the data is used to track the user and with which data sources and other data the obtained data is linked. The inserted information is afterwards displayed in the App Store below the rating of the app.

According to Apple, the goal is that the information in the App Store should make it easier for the user to know what the privacy status of an app is. However, it should be noted that the information is based solely on the (voluntary) information provided by the provider and is not verified by Apple.

Category: Data Protection
Tags: , , ,

Hackers access Microsoft source codes

7. January 2021

In December 2020 cybersecurity firm FireEye reported that it had been attacked by what they called a “highly sophisticated cyber threat actor”, during which copies of its red team tool kit were stolen. Also in December, FireEye disclosed that it discovered attacks on SolarWinds’ tool “Orion” while investigating its own security breach. In a SEC filing, SolarWinds said up to 18,000 of 33,000 Orion customers may have been affected. The attacks may have begun in early 2020.

A group believed to be state-sponsored used contaminated updates for the “Orion” network management software. They accessed a SolarWinds system used to update Orion and from there inserted malicious code into legitimate software updates that were then distributed to customers. The affected versions are 2019.4 through 2020.2.1, which were released between March and June 2020. It is still unclear how the attackers initially gained access to SolarWinds’ network. Security researcher Vinoth Kumar stated on Twitter he contacted SolarWinds in 2019 regarding an FTP access uploaded to GitHub in 2018. Using the password “solarwinds123,” he was able to upload a file to the SolarWinds server as proof of the vulnerability.

Agencies and companies that have been penetrated by the Orion software include the U.S. Treasury Department, the U.S. Department of Homeland Security, the National Nuclear Security Administration, parts of the Pentagon, Belkin, Cisco, Intel, Microsoft, and Nvidia.
The FBI and other U.S. security agencies issued a joint statement calling the attack “significant and ongoing”. Also, agencies and companies in other countries such as Belgium, Canada, Germany, Israel, Mexico, Spain, the United Kingdom, and the United Arab Emirates were affected.

So far, it is unclear what damage, if any, was caused by the attacks and what data was accessed. According to reports, in some cases, internal communications were accessed and various documents were copied, with documents relating to ongoing product development, in particular, attracting the attackers’ interest. In an interview published by the U.S. State Department, U.S. Secretary of State Michael R. Pompeo claimed Russia was responsible for the attack.

“This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity.”

Among those affected, Microsoft is being most viral regarding the hack. In a blog post published on December 31, the company even admitted that the hackers had access to its source codes. According to that post, they were able to view the code but not modify it. Still, this could pose a significant security risk, as the attackers can now study the software’s architecture and look for possible entry points. Microsoft won’t reveal which tool’s source codes the attackers had access to. It also identified more than 40 of its own customers who were targeted.
Microsoft President Brad Smith wrote:

“This is not just an attack on specific targets but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”

This cyber-attack shows the importance of strong cybersecurity for every company and private user, as even tech-giants and fundamental U.S. authorities were victims of this attack. In particular, access to Microsoft’s source codes could be the ground for further attacks on high- and low-profile targets, as Microsoft’s tools are used in businesses of all sizes and by individuals as well.

EU-UK Trade Deal in light of Data Protection

4. January 2021

Almost fit to be called a Christmas miracle, the European Union (EU) and the United Kingdom (UK) came to an agreement on December 24th, 2020. The Trade Agreement, called in full length “EU-UK Trade and Cooperation Agreement“, is set out to define new rules from the date of the UK Exit from the EU, January 1st, 2021.

President of the European Commission, Ursula von der Leyen, claimed it was a deal worth fighting for, “because we now have a fair and balanced agreement with the UK, which will protect our European interests, ensure fair competition, and provide much needed predictability for our fishing communities. Finally, we can leave Brexit behind us and look to the future. Europe is now moving on.

In light of Data Protection however, the new Trade Deal has not given much certainty of what is to come next.

Both sides are aware that an adequacy decision by the EU Commission is very important with regard to data protection and cross-border data flows. Accordingly, the EU has agreed to allow a period of four months, extendable by a further two months, during which data can be transferred between EU Member States and the UK without additional safeguards. This period was granted to give the Commission enough time to make an adequacy decision. Accordingly, data transfers can continue as before until possibly mid-2021. However, this arrangement is only valid if the UK does not change its data protection laws in the meantime.

With regard to direct marketing, the situation has not changed either: for individuals, active consent must be given unless there was a prior contractual relationship and the advertising relates to similar products as the prior contract. Furthermore, the advertising must also be precisely recognisable as such, and the possibility of revoking consent must be given in every advertising mail.

However, much else has yet to be clarified. Questions such as the competence of the UK Data Protection Authority, the Information Commissioner’s Office (ICO), as well as the fate of its ongoing investigations, have not yet been answered. As of now, companies with their original EU Headquarters in the UK will have to designate a new Lead Supervisory Authority (Art. 56 GDPR) for their business in the EU.

The upcoming months will determine if questions with high relevance to businesses’ day to day practice will be able to be answered reassuringly.

Happy New Year 2021!

1. January 2021

Dear readers,

We, the team of the privacy-ticker.com, wish you a happy new year.

As in the extraordinary and challenging year of 2020, we are delighted to keep you updated in the new year on judicial and supervisory decisions on international data protection law, as well as other news in the areas of data protection and data security.

We look forward to 2021 with excitement and hope and wish you only the best for the new year. Stay safe and healthy!

Your team of privacy-ticker.com

Category: General

European Commission proposes draft “Digital Service Act” and “Digital Market Act”

21. December 2020

On December 15th, the European Commission published drafts on the “Digital Service Act” (“DSA”) and the “Digital Market Act” (“DMA”), which are intended to restrict large online platforms and stimulate competition.

The DSA is intended to rework the 20-year-old e-Commerce Directive and introduce a paradigm shift in accountability. Under the DSA, platforms would have to prove that they acted in a timely manner in removing or blocking access to illegal content, or that they have no actual knowledge of such content. Violators would face fines of up to 6% of annual revenue. Authorities could order providers to take action against specific illegal content, after which they must provide immediate feedback on what action was taken and when. Providing false, incomplete or misleading information as part of the reporting requirement or failing to conduct an on-site inspection could result in fines of up to 1% of annual revenue. The scope of said illegal content is to include for example, criminal hate comments, discriminatory content, depictions of child sexual abuse, non-consensual sharing of private images, unauthorized use of copyrighted works, and terrorist content. Hosting providers will be required to establish efficient notice and action mechanisms that allow individuals to report and take action against posts they deem illegal. Platforms would not only be required to remove illegal content, but also explain to users why the content was blocked and give them the opportunity to complain.

Any advertising on ad-supported platforms would be required to be clearly identifiable as advertising and clearly state who sponsored it. Exceptions are to apply to smaller journalistic portals and bloggers, while even stricter rules would apply to large platforms. For example, platforms with more than 45 million active users in the EU could be forced to grant comprehensive access to stored data, provided that trade secrets are not affected, and to set up archives that make it possible to identify disinformation and illegal advertising.

Social network operators would have to conduct annual risk assessments and review how they deal with systemic threats, such as the spread of illegal content. They would also be required to provide clear, easy-to-understand and detailed reports at least once a year on the content moderation they have carried out during that period.

Newly appointed “Digital Service Coordinators” in each EU-Member-State are supposed to enforce the regulation, for example by ordering platforms to share data with researchers who shall investigate the platforms relevant activities, while a new European committee is to ensure that the DSA is applied uniformly across the EU. On demand of the Digital Service Coordinators platforms would have to provide researchers with key data, so they can investigate the platforms relevant activities.

The DMA includes a list of competition requirements for large platforms, so called “gatekeepers”, that have a monopoly-like status. The regulations aim to strengthen smaller competitors and prevent the large gatekeepers from using their dominance to impose practices perceived as unfair. They would neither be allowed to exclusively pre-install their own applications, nor to force other operating system developers or hardware manufacturers to have programs pre-installed exclusively by the gatekeeper’s company. In addition, preventing users from uninstalling included applications would be prohibited. Other common measures of self-preference would also be prohibited. For example, gatekeepers would no longer be allowed to use data generated by their services for their own commercial activities without also making the information available to other commercial users. If a provider wanted to merge data generated by different portals, he would have to obtain explicit consent from users to do so.

The publication of the DSA and the DMA is the next step in the European Commission’s 2020 European strategy for data, following the proposal of the Data Governance Act in November. Like the Data Governance Act, the DSA and DMA aim to push back the dominance of tech giants, particularly those from the U.S. and China, while promoting competition.

EDPS considers Privacy Shield replacement unlikely for a while

18. December 2020

The data transfer agreements between the EU and the USA, namely Safe Harbor and its successor Privacy Shield, have suffered a hard fate for years. Both have been declared invalid by the European Court of Justice (CJEU) in the course of proceedings initiated by Austrian lawyer and privacy activist Max Schrems against Facebook. In either case, the court came to the conclusion that the agreements did not meet the requirements to guarantee equivalent data protection standards and thus violated Europeans’ fundamental rights due to data transfer to US law enforcement agencies enabled by US surveillance laws.

The judgement marking the end of the EU-US Privacy Shield (“Schrems II”) has a huge impact on EU companies doing business with the USA, which are now expected to rely on Standard Contractual Clauses (SCCs). However, the CJEU tightened the requirements for the SCCs. When using them in the future, companies have to determine whether there is an adequate level of data protection in the third country. Therefore, in particular cases, there may need to be taken additional measures to ensure a level of protection that is essentially the same as in the EU.

Despite this, companies were hoping for a new transatlantic data transfer pact. Though, the European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski expressed doubts on an agreement in the near future:

I don’t expect a new solution instead of Privacy Shield in the space of weeks, and probably not even months, and so we have to be ready that the system without a Privacy Shield like solution will last for a while.

He justified his skepticism with the incoming Biden administration, since it may have other priorities than possible changes in the American national security laws. An agreement upon a new data transfer mechanism would admittedly depend on leveling US national security laws with EU fundamental rights.

With that in mind, the EU does not remain inactive. It is also trying to devise different ways to maintain its data transfers with the rest of the world. In this regard, the EDPS appreciated European Commission’s proposed revisions to SCCs, which take into consideration the provisions laid down in CJEU’s judgement “Schrems II”.

The proposed Standard Contractual Clauses look very promising and they are already introducing many thoughts given by the data protection authorities.

Swedish court confirms Google’s violations of the GDPR

16. December 2020

The Administrative Court of Stockholm announced on November 23rd, 2020, that it had rejected Google LLC’s appeal against the decision of the Swedish Data Protection Authority (Datainspektionen) determining Google’s violations of the GDPR. Google as a search engine operator had not fulfilled its obligations regarding the right to be forgotten (RTBF). However, the court reduced the fine from a total of SEK 75 million (approx. € 7,344,000) to SEK 52 million (approx. € 5,091,000).

Background to the case was the Swedish DPA’s audit in 2017 concerning Google’s handling of requests on delisting, which means removal of certain results from a search engine. The DPA concluded the inspection by ordering Google to delist certain individuals’ names due to inaccuracy, irrelevance and superfluous information. In 2018 the DPA initiated a follow-up audit because of indications that Google had not fully complied with the previously issued order. It resulted in issuing an administrative fine of SEK 75 million in March 2020.

The DPA raised attention to the fact that the GDPR increases the obligations of data controllers and data processors as well as strengthens the rights of individuals, which include the right to have their search result delisted. Though, Google has not been fully complying with its obligations, as it has not properly removed two of the search result listings that the DPA had ordered to delete. In one case Google has done a too narrow interpretation of what web addresses to remove, in the other case Google has failed to remove it without undue delay.

Moreover, the DPA criticized Google’s procedure of managing delisting requests and found it to be undermining data subjects’ rights. Following the removal of a search result listing, Google notifies the website to which the link is directed. The delisting request form, directed to the data subject raising the request, states that information on the removed web addresses can be provided to the webmaster. This information has to be seen as misleading since the data subject is made to understand that its consent to the notification is required in order to process the request. Therefore, such practice might result in individuals refraining from exercising their right to request delisting, which violates Art. 5 (1) lit. a) GDPR. What’s more, in the opinion of the DPA the delisting notifications to the webmasters are not covered by legal obligations according to Art. 6 (1) lit. c), 17 (2) GDPR, nor legitimate interests pursuant to Art. 6 (1) lit. f) GDPR. Also, Google’s routine of regularly sending information to webmasters constitutes processing of personal data being incompatible with the purpose for which the data was originally collected. This practice infringes Art. 5 (1) lit. b), 6 (4) GDPR.

Google appealed the decision of the DPA. Though, the Swedish Administrative Court of Stockholm reaffirmed the DPA’s opinion and confirmed Google’s violations of the GDPR.

The court stated that the process concerning delisting requests must facilitate for the individual to exercise its rights. That means, any process that restricts the individuals’ rights may violate Art. 15 through 22 GDPR. The court also specified why the personal data had been processed beyond their original purpose. Since the notifications are only sent after Google has removed a search result, the purpose of the processing has already expired when the notification is sent. Thus, the notification cannot be considered effective in achieving the purpose specified by Google.

Google shall now delist specific search results and cease to inform webmasters of requests. Also, Google must adapt its data subject rights procedure within eight weeks after the court’s judgment has gained legal force.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 53 54 55 Next
1 2 3 4 5 6 55