NEWSLETTER No 33 // Tuesday 24 May 2022
|
|
|
|
GDPR, YEAR 4: COMPARATIVE VIEWS FROM ABROAD
|
|
|
|
This month, on the fourth anniversary of the GDPR implementation, our newsletter, “La Lettre du DPO”, has interviewed the legal experts of PANGEA NET, an international network of independent law firms, including klein • wenner. They share with us their personal views on the practical application of the GDPR and the main trends that are emerging in their respective countries. Many thanks to all of them!
A new and growing trend which has led, in France, to the emergence of new concerns. Apart from the increase in the number of sanctions issued by the CNIL, the French data protection authority (the amounts are still low, but the number is significantly increasing), the 2021-2022 year has been characterized by the extension of the health crisis which has permanently imposed social distancing and teleworking for the whole population. People now use digital tools on a daily basis, both in their professional and personal lives. Facing this change, the authorities have become aware of the impact of the increasing use of digital services on the sovereignty of States, as well as on the environment.
A first emerging trend: protecting digital sovereignty. Since the invalidation of the “Privacy Shield” adequacy decision in July 2020, the 2021-2022 year has been characterized by the authorities' desire to provide companies with practical solutions. This trend has notably emerged with the admission of the United Kingdom and South Korea among the countries receiving an "adequate level" of protection, and with the adoption of new standard contractual clauses by the European Commission, even if there are still many questions and doubts on this subject.
A second emerging trend: reducing the environmental footprint of data. No significant legislative initiative has yet been taken on this subject. It is true that Law 2021-1485 of November 15th, 2021, "aimed at reducing the environmental footprint of digital technology in France" (OJ 16 Nov. 2021, text no. 2) has been adopted. However, this text, which mainly includes provisions on ecodesign and recycling as well as on the repair of digital equipment, contains very few provisions aimed at reducing the consumption of data (probably due to the upcoming arrival of 5G, encouraged by the public authorities, which will amplify this consumption). However, many people and associations are expressing their views on the subject, including the CNIL itself ("Données et environnement : comment prévenir les marées noires du XXIe siècle?" – “Data and environment: how to prevent the oil spills of the 21st century?”, 19/05/2021, LINC/CNIL’s Digital Innovation Laboratory). Therefore, it seems clear that the re-elected President of the French Republic, for his five-year term opening in 2022, will have to tackle this challenge, perhaps starting by giving more resources to the courts for the enforcement of the GDPR. By imposing data minimization, this regulation is actually a powerful promoter of human and environmental ecology.
Enjoy the reading!
Matthieu Bourgeois and Laurent Badiane, partners in charge of the Intellectual Property and Digital Law Team.
To subscribe, click here
|
|
|
|
PANGEA NET experts share their views on the practical application of the GDPR and the main trends that are emerging in their countries. |
|
|
|
In Austria, the past 12 months have been dominated by high penalties and the Google Analytics decision (D155.027).
Updates on the Data Protection Authority and level of compliance. The Austrian Data Protection Authority (DPA) has increased its workforce by 13 employees and set up a “task force” for dealing with complaints regarding cookies and cookie banners. There are no official evaluations of the level of compliance among Austrian companies.
Penalties or other sanctions. According to the DPA report of 2021, penalties of almost EUR 25 Mio were imposed (not legally binding yet). This shows that the DPA is imposing very high penalties, also on partly state-owned companies.
Google Analytics. The DPA held that the use of Google Analytics violates the GDPR. It found that (i) when using Google Analytics, personal data are processed, and (ii) the standard contractual clauses and additional measures do not provide the appropriate safeguards necessary for the transfer of data to the United States.
|
|
|
|
The Belgian Data Protection Authority strikes the adtech industry: the consent framework of IAB Europe infringes the GDPR
The Belgian DPA has ruled in a decision of 2 February 2022 that the Transparency and Consent Framework (TCF), developed by IAB Europe, does not comply with a number of provisions of the GDPR.
The TCF is a widespread mechanism that facilitates the management of user preferences for online personalised ads and plays a key role in so-called Real Time Bidding (RTB). The lawfulness of processing personal data in the context of RTB is questioned, so the decision is of particular relevance to the whole online advertising industry.
The Belgian DPA identified a series of GDPR infringements by IAB Europe:
- there was no legal basis for the different processing activities in the context of RTB,
- the information that was provided to the data subjects was too generic and vague,
- there was a lack of organisational and technical measures in accordance with the principle of data protection by design and by default,
- IAB Europe had also failed to keep a register of processing activities, to appoint a DPO and to conduct a “DPIA” (data protection impact assessment).
The Belgian DPA imposed a fine of 250.000,00 EUR on IAB Europe and gave the company two months to submit an action plan to bring its operations into compliance. IAB Europe has already announced that an appeal will be lodged.
|
|
|
|
In 2021, the Bulgarian Commission for Personal Data Protection ("CPDP" or “Commission”) has been contacted with over 840 complaints: an increased number of complaints against video surveillance – 196 – and some breaches concerning the provision of postal and courier services. Total amount of fines is 319 000 BGN, imposed are also warnings, prohibitions and injunctions.
No amendments have been introduced in the major Data Protection Act. However, the following elements have been observed: enhanced practice of the CPDP in accordance with the EDPB’s Draft of Guidelines for the implementation of Art. 62 of the GDPR and Guidelines 01/2021 on Examples regarding Personal Data Breach Notification; enhanced analysis of artificial intelligence, facial recognition, protection of children's personal data on the internet, big data and the related possibility of its profiling ; enhanced efforts towards full Schengen membership in 2021 - checks on national systems/units of the second generation Schengen Information System (SIS II), the Visa Information System (VIS) and the national consular service.
|
|
|
|
The Croatian Data Protection Authority (DPA) recently imposed two administrative fines with a total amount of HRK 1,6 million.
The first administrative fine sanctions, with a fine of HRK 940,000.00 (approximately EUR 125,000), a company in the sector of energetics, for failing to provide copies of personal data (video surveillance recordings) upon request of a data subject, in violation of Article 15.3 of the GDPR. Following the controller's refusal to provide the copies, the data subject turned to the DPA who requested that the copies be provided. The controller responded that the requested copies of the video surveillance recordings could not be delivered as they are deleted after seven (7) days. The DPA considered that there was an indirect prejudice for the data subject and a potential financial benefit for the controller who, by eliminating important evidence in the dispute, avoided a financial condemnation in the dispute with the data subject.
The second administrative fine punishes, with a fine of HRK 675,000.00 (approximately EUR 90,000), a retail chain, for failing to implement appropriate security measures in violation of Article 32 of the GDPR, which led to the public disclosure of personal data on social networks and in the media. More precisely, the controller reported an internal data breach to the DPA, as employees made a copy of video surveillance recordings using their smartphones and published them online. The DPA considered that the data controller did not, either before or after the incident, take appropriate technical and organizational security measures which could have minimized the risk of the same or similar incident.
|
|
|
|
Time of inconspicuous yet significant changes
The Covid-19 pandemic brought new challenges regarding personal data and shifted significantly society´s focus to the processing of personal data within employment relationships. People are gradually more concerned about their personal data – the number of complaints also increased. The most common misconducts are having no proper legal basis, using data for different purposes than what they were collected for and failing to inform the data subjects about the processing. The highest fine imposed in 2021 was approx. 80.000 €.
Cookies and cloud services is also getting a lot of attention recently. The Czech Republic finally aligned with the EU-standard and adopted the opt-in principle when allowing cookies in browsers. This was not welcomed, but due to the availability of international solutions, most addressees tried to comply. However, it remains to be clarified by respective decisions if some of these solutions are fully in accordance with GDPR. The Czech DPA is aware of that and plans to focus its inspection activities on this field as well.
|
|
|
|
Ireland- Data Protection Highlights 2021-2022
The most frequent GDPR topics for queries and complaints include access requests, fair-processing, disclosure, direct marketing and the right to be forgotten.
In September 2021 the Data Protection Commission (DPC) announced a conclusion to a GDPR investigation conducted into WhatsApp Ireland Limited. The decision was subject to the EU dispute resolution process, after which the DPC imposed a fine of €225 million on WhatsApp and an order for WhatsApp to bring its processing into compliance. On 15 March 2022 the DPC adopted a decision imposing a fine of €17 million on Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) following an enquiry into a series of 12 data breach notifications.
According to the Commissioner: “It is clear that “data controllers” in Ireland continue to improve their compliance efforts, but higher standards of responsiveness to individuals seeking to exercise their rights are still needed in many sectors.”
|
|
|
|
With a decision rendered in February 2022, the Italian Supervisory Authority imposed a fine of Eur 20 million on Clearview AI - a US company which offers services of facial recognition based on images extracted via web scraping - due to the unlawful processing of biometric and geolocation data of individuals located in the Italian territory.
The inquiry activities carried out by the Supervisory Authority - which started from press news, a few complaints lodged by data subjects and alerts of data protection associations – pointed out that Clearview AI facial recognition system did allow the tracking of individuals located in Italy. Such tracking was carried out in breach of the fundamental principles of the GDPR such as transparency, purpose limitation and retention period limitation and without an appropriate legal basis.
In addition to the fine, the Italian Supervisory Authority banned any processing of personal data through the US company facial recognition system and ordered the same to delete the biometric and common data processed related to individuals located in Italy.
|
|
|
|
CONSTANT INCREASE IN LEGAL AWARENESS REGARDING THE PROTECTION OF PERSONAL DATA
A constant trend in Poland: the awareness of the rights and obligations resulting from GDPR. Last year, the Polish supervisory authority received over 8,500 complaints about a breach of data protection. The data controllers reported almost 13,000 cases of violations.
Moreover, the supervisory authority noted a significant increase in the number of legal questions submitted to the office regarding the application of the GDPR. This shows that data controllers, data protection officers and citizens themselves identify problems very quickly and expect guidance.
Since 2018, the supervisory authority has imposed more than 40 fines totaling almost € 3.5 million. Only slightly over € 32,000 was actually paid by the punished entities, since (i) the convicted entities have appealed the penalty decision and (ii) time-consuming court procedures have delayed the execution of the decision. So far, almost all of the completed court cases have been resolved in favor of the supervisory authority.
|
|
|
|
Cloud Services for the Public Administration in Switzerland
While Switzerland is still waiting for the entry into force of the revised Federal Data Protection Act FDPA (recent news announced it for September 2023) and for the publication of the revised Ordinance to the FDPA, companies have already started to implement the new rules.
Apart from that, many businesses have already implemented the new Standard Contractual Clauses for data transfers abroad and develop an approach for the data transfer impact assessment (TIA) concerning data transfers in third countries. The data export requirements and TIA are particularly important with respect to cloud services of providers with US headquarters. In this connection, a decision taken by the government of the Canton of Zurich (the most populous Canton of Switzerland) in March 2022 has been highly discussed. The Zurich government approved the use of Microsoft 365 for the cantonal public administration and set a standard method to assess the risk of lawful access for cloud services. Moreover, it decided that if the 90% probability that a lawful access occurs is beyond 100 years, the cantonal public administration is allowed to use the cloud service without further approval. For Microsoft 365, the Zurich government assessed that it will take 1206 years until one lawful access will occur with a probability of 90% when using Microsoft 365 with the technical and organisation security measures that will be implemented to protect data in the cloud.
|
|
|
|
The Intellectual Property and Digital Law Team at klein • wenner
Fortified by in-depth experience, klein • wenner's attorneys in the IT Law and Intellectual Property team, who are experts in the digital sector and in GDPR, have developed a transversal practice unique in the area of data law. We work with other experts (in cybersecurity, SI/data governance and other areas), and our team offers a global, cooperative approach to all the issues relating to data (privacy, intellectual property, cybersecurity and open data - *with klein • wenner's Public Law team).
|
|
|
|
La Lettre du DPO is a publication of KGA Avocats which processes your data in accordance with the regulation regarding personal data. To learn more, click here
|
|
|
|
|
|
|
|
