An overview of the General Data Protection Regulation occurrences during the month of November
At end of year 2019 we were provided with some reading material for the coming year, including new guidelines both from European Data Protection Board and European Data Protection Supervisor, as well as valuable opinion issued by Advocate General of CJEU.
European Data protection Board publishes Guidelines the right to be forgotten in search engine cases
On 11 December 2019 European Data protection Board (EDPB) published its Draft Guidelines 5/ 2019 for public consultation, which lay down the criteria and aspects of the right to be forgotten in search engine cases under the EU General Data Protection Regulation (GDPR).
The Guidelines focus on the clarification of the grounds on which an individual is able to rely when requesting for the right to be forgotten regarding the links to web pages containing his or her personal data, as well as the exceptions that the search engine operators may exercise to reject the respective requests. Furthermore, the Guidelines will be supplemented by an appendix dedicated to the assessment of criteria for handling complaints for refusals of delisting.
The Guidelines separates delisting requests and full erasure requests. Namely, the delisting requests imply the deletion of links between a specific words and terms entered in the search engine and personal data containing search results. In case of full erasure request, all links to the data containing content is to be deleted.
In comparison to Directive 95/46/EC of the European Parliament and of the Council which was repealed by GDPR, the latter now recognizes with its Article 17 the data subjects’ rights to be forgotten, which can be exercised by a request to erase the relevant data if specific grounds are met. It must be noted that, the Guidelines do not analyse Article 17(2), which lays down the duty of the controller to inform other controllers processing the same data of the received request for erasure. The Guidelines have it that the search engine operator complying with the request for erasure must not inform the third party that published the relevant data in the first place. The Article 17( 2) shall be addressed in separate guidelines in the future.
In regards to the differences between GDPR and Directive 95/ 46/ EC, the Guidelines also solidify the change of burden of proof of the legitimate basis of the requests from the data subject to the controller.
The feedback of the public may be submitted until 5 February 2020.
New Proportionality Guidelines published by European Data Protection Supervisor
European Data Protection Supervisor (EDPS) has issued Guidelines addressed to policymakers on assessing proportionality when designing and implementing policies and legislative measures.
Any new policies or legislative measures to be implemented that impact and limit the fundamental rights to privacy and data protection must comply with the Charter of Fundamental Rights. As a general rule in addition to other relevant criteria any limitation must have a necessity and be proportional to achieve its purpose without causing inappropriate damage to persons’ rights.
For this reason the newly adopted guidelines strive to provide practical tools to assist the policymakers in assessing this compliance with the Charter. These Guidelines are best to be used in combination with the Necessity Toolkit published by the EDPS in 2017.
German Data Protection Authority imposes a fine amounting to €9.55 million
In December 2019, Germany’s Federal Commissioner for Data Protection and Freedom of Information (or BfDI) imposed a fine amounting to €9.55 million, a fine that is one of the largest fines in Germany to date.
The company that incurred the fine in question is one of the largest DSL and mobile service providers, and a subsidiary of 1 & 1 Drillisch AG, which is one of the country’s largest network- independent telecommunications providers.
The breach concerned implied failure of having sufficient technical and organisational measures to protect customer data in the activity of the call center. In the given case, it was discovered that the call center of the company shared customer data with callers against merely the name and date of birth of the customer. In the view of the German Data Protection Authority such level of authentication was insufficient to protect the data of customers and Article 32 of GDPR was thus violated.
Notwithstanding the breach, the Authority praised the company’s transparency and cooperation after the discovery, as well as swift action to mend the situation, however, it felt then need to impose the fine. For this reason, the Authority chose, in its view, a relatively low fine.
Nevertheless, the company is planning to appeal the fine, as it considers it to be disproportionate and incorrectly calculated, thus, breaching German legal code’s principles of “equal treatment and proportionality”. Apart from appealing, it also announced that it shall soon introduce customer personal service PIN for authentication, being the one of the first companies to undertake such a system.
Hungarian Competition Authority imposed a fine of €3.6 million on Facebook
A fine different than usually mentioned in relation to data protection was imposed on the tech giant Facebook, however it is noteworthy in discussion on the usage of data. The fine which amounts to € 3.6 million is the highest fine that the Hungarian Competition Authority (GVH) has ever imposed in a consumer protection case. GVH held the same view as its counterparts in USA and EU that Facebook’s so-called zero price policy that implies Facebook platform being free, however, in exchange for user data, is confusing and detrimental to the consumers.
The focus of the GVH was Facebook’s slogans, that is, ‘It’s free and anyone can join’ and ‘ Free and always will be’, which may deceive the users that the services are not used by paying with the personal data they share. The deceptive slogans appeared on Facebook homepage and Help Centre from 2010 until 2019.
The nature of data Facebook collects is diverse, including users’ behaviour, interests, choice of services, purchase habits, location etc. The data is provided on the basis of an agreement which usually is not thoroughly read, if at all, by individuals. This wide range of personal data is further used for targeted advertising for the monetary benefit of Facebook.
In the opinion of the Authority the deceptive slogans might confuse the individuals in terms of responsibility in relation to the use of the platform, as well as in terms of contractual obligations. This is so as the slogans may convince that there are no risks or obligations, even though in reality there is a multi- level user commitment taking place, which is not fully transparent because of the complexity of the personal data processing involved.
Advocate General publishes an opinion on the validity of the EU standard contractual clauses
The Advocate General for the Court of Justice of the European Union (CJEU) has published opinion that acknowledges the validity of the standard contractual clauses (SCC) mechanisms for data transfers from EU to third countries under Article 46 of GDPR.
GDPR protects data subjects by allowing the transfer to third countries outside EU only where the receiving country ensures an adequate level of protection of the data or where there are in place alternative transfer mechanisms. One of these mechanisms is SCC adopted by Commission, which must be applied to the transfer of personal data from the controller to the receiving party in the third country.
The issue of this opinion stems from the case initiated by the Austrian attorney and privacy activist Max Schrems regarding his complaint against Facebook. In this case Max Schrems was of the opinion that Facebook unlawfully transfers personal data of its European users to the US for processing.
The Advocate General verified that the under SCC the controller and supervisory authority i s obliged to suspend and prohibit transfer to US if and when it is believed that there exists a conflict between the privacy duties under SCC and the laws of the country receiving data, in a manner that the SCC are not conformed with fully. In addition the Advocate General held a view that the SCC remain valid for the transfer of personal data and the sufficiency of safeguard of SCC is not affected by the fact that the SCC are not binging to the authorities i n the respective third country.
It must be noted that this opinion does not bind CJEU, and sometime in 2020 we may expect CJEU to issue a judgment relevant to this matter.
Matiss Liepins is Compliance Officer at Erremme Business Advisors and may be
contacted on matl@erremme.com.mt