Data Protection News: September 2019

Erase and rewind: new CJEU case-law on right to erasure

The story about the application of the right to erasure in relation to the processing of personal data by online search engines started in 2014, with the CJEU Google Spain C-131/12 case. This September saw fresh developments on the issue, in two cases concerning the territorial span of the right to obtain de-referencing from search results lists and the conditions for requesting such de-referencing.

In Google v. CNIL C-507/17, the French supervisor (CNIL) interpreted the scope of the application of the right to erasure as encompassing all of the domain name extensions of Google Search. On the contrary, the CJEU considered that Google “is not required to carry out that de-referencing on all versions of its search engine, but on the versions of that search engine corresponding to all the Member States”. However, Google must also apply measures to prevent / discourage the accessing of the domain name extensions which still show the de-referenced link.

The other case, G.C. and Others v. CNIL C-136/17, concerned four requests made to Google for de-referencing links to online content which contained sensitive information, including information on criminal convictions. The CJEU rendered a specific interpretation of the legal prohibitions concerning sensitive data, in the specific case of search engines. While the legal limitations apply as a rule to all data controllers, the particularities of the functioning of a search engine may affect the extent of the controller’s responsibilities towards the processing of sensitive data. Consequently, search engines are not limited de plano from indexing links to content which includes sensitive information – however, the limitations indeed apply when the content would be verified via a de-referencing request.

The recent EU jurisprudence provides some useful clarifications on the practicalities of the right to be forgotten. Still, more insight will be welcome on the topic of the merits of the de-referencing requests, namely on the balancing between the right to privacy and the right to freedom of expression and information and how far search engine operators must go in order to ascertain factual information on the specific circumstances of the data subject.

We’re also engaging with the privacy professionals community through our LinkedIn company page, so please follow us if you want live updates on relevant privacy issues in Romania.

CJEU: cookies still in the limelight

Swiftly after the Fashion ID judgement, the Court of Justice of the European Union analysed another case concerning cookies. This time, the issue of valid consent was examined in the Planet 49 C-673/17 case, where a pre-ticked box was used to signify consent for two distinct operations – the placement of cookies and the participation in a promotional lottery.

The CJEU established that a pre-ticked box does not constitute a valid means of obtaining consent and that consent must also be specific (the wish to participate in a promotional lottery cannot lead to the conclusion that the user also wants cookies stored on the device).

The CJEU judgement must not lead to the conclusion that the user consent is required for the storage of any cookies, as it was wrongly reported in certain media outlets, based on the confusing title to the CJEU press release. The ePrivacy Directive (which will be replaced by the much anticipated ePrivacy Regulation) provides for types of cookies which do not require prior user consent; in addition, the UK and the French data protection authorities have also published guidance on the legal treatment of cookies – a topic you can read about in our previous newsletter.

Read also: a commentary of the judgement by Gabriela Zanfir Fortuna; this explanatory article by Alexander Hanff; an article by Dr. Carlo Pilz on the guidance provided by the DPA of of Baden-Württemberg on the Planet 49 case.

 

The scope of the right to access

GDPR Art. 15 grants data subjects a right to obtain from the data controller access to the personal data processed concerning them, including a copy of such data (without adversely affecting the rights and freedoms of others).

There is not further guidance in the GDPR on what exactly a data subject can obtain following an access request, except for preamble (63) which provides an example of access to data in a person’s medical records “containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided”. Consequently, recent cases involving the right to access raised the question as to whether the data subject is also entitled to receive copies of the documents containing the personal data.

Fresh orientations from the Bavarian supervisor answer in the negative – the data subject does not have a right to photocopies of documents, correspondence or e-mails, only to information about the personal data (as reported in this article). The same issue was previously explored in a case before the Cologne Regional Court, where scope of the right received a similar interpretation.

Nevertheless, the indications from Germany represent a national perspective. There still are many practical concerns when answering access requests, especially where personal data cannot be searched within or taken out of certain documents, or in cases when the document itself represents information about a natural person.

Read also: a case on access requests has been analyzed by the Regional Labour Court of Stuttgart: ICO’s guidance for medical practitioners.

Romania: NIS Directive transposed

The Directive on security of network and information systems, 2016/1148 (the NIS Directive) was transposed in Romania in January 2019, through Law no. 362/2018. As a primary step, organizations must ascertain whether they fall within the “operator of essential services” definition – for this purpose, the Romanian Ministry of Communications and Information Society has published a regulation to help with such an analysis (Order no. 599/2019).

Further, the Ministry is expected to publish a list of minimal security standards, which the operators of essential services must implement within a time-limit of 6 months. Examples of economic sectors which are subject to the new legislation include energy, transport, banking, health, water supply, digital infrastructure, as well as other important socio-economic activities which are identified based on the rules of Order no. 599/ 2019.

CJEU upcoming data protection case-law

The CJEU has received several privacy-related requests which will shed light on the interpretation of European data protection legislation. Don’t overlook the upcoming judgements in the following cases: ► Case C-272/19 Land Hessen, on the right o access applicable to a parliament committee (request lodged in April 2019, further information pending).
Case C-708/18 TK v Asociaţia de Proprietari bloc M5A Scara-A, on the issue of video surveillance in a residential bulding (request lodged in November 2019, further information pending).
Case C-61/19 Orange Romania, on what constitutes valid consent (request lodged in January 2019, further information pending).
Case C-687/18 Associated Newspapers, on personal data and journalism (hearing scheduled on 12 November 2019).

Guidelines & reports

UK ICO modifies its guidance on calculating the timescales for responding to data subject access requests.
✎ The European Parliament published a new study on blockchain and the GDPR (direct download link).
✎ The Danish DPA issued new guidance about posting photos online. Read this article in English on the topic.
 Facebook released a White Paper on Data Portability and Privacy.
 The Spanish Data Protection Agency published a technical paper on transparency for mobile apps (full document here in Spanish).
✎ The Bavarian DPA published a new FAQ regarding the requirements for WebFonts, Maps, GoogleAnalytics, Facebook Custom Audience (read here an article in English on the topic).
✎ The UK Centre for Data Ethics and Innovation publishes its first series of snapshot papers on AI (deepfakes, AI and insurance, smart speakers).
✎ The Irish Data Protection Commission published guidance on direct marketing and GDPR requirements.

Cases & decisions

⚖ Germany: Local Court of Bochum says a claimant invoking Art. 82 GDPR must prove that the unsecured transfer of data which took place in the case actually resulted in material or non-material damage (see here an article in English).
⚖ The High Court of Frankfurt decided that  GDPR consent for data processing can be tied to consent for receiving advertising.
⚖ The Court of Amsterdam heard a case concerning the use of employee fingerprints for a system requiring finger scans for cash registers.
⚖ Denmark releases 32 prisoners after reviewing the reliability of geo-location data obtained from mobile phone operators.

GDPR enforcement actions

⚡ The Bavarian Data Protection Authority is investigating the Bavarian Red Cross Blood Donation Service for the use of tracking tools on the organization’s website. The focus of the investigation is to ascertain whether sensitive data have been collected and sent to Facebook through the use of Facebook Pixel and other similar technologies.
⚡ This article in Romanian explains the first GDPR fines applied in Romania and their relevance from the point of view of security obligations.
⚡ A new GDPR fine was applied on an online retailer in Latvia (7000 euros) for not complying with an erasure request.
The Polish DPA imposed a fine on Morele.net for insufficient organizational and technical safeguards, the amount rising up to 645,000 euros.
⚡ The Spanish Data Protection Regulator applied a fine on a restaurant that sanctioned an employee based on mobile phone video evidence submitted by another employee.
The Irish Data Protection Commission is investigating Google`s DoubleClick/ Authorized Buyers ad business for infringement on the GDPR.
⚡ This Mazars analysis shows some statistics regarding GDPR fines.

More EU data protection news

Cookies:
► This academic study on cookie consent notices from the Ruhr-Universität Bochum in Germany and the University of Michigan provides interesting insight on the impact of consent notice design.

More news about face recognition technology:
► Facebook offers a privacy update on Face Recognition.
► King’s Cross Central station in London proposed using facial-recognition technology to identify persons who had previously committed offenses in the premises. The ICO has expressed concerned and launched an investigation into this matter.
► On the other hand, it is reported that other sites in London are planning to install CCTV cameras which have face recognition capabilities.
► In France, Nice is also preparing the use of face recognition technology for law enforcement purposes.
► Much earlier in 2017, the Italian DPA investigated an advertising system which used face recognition technology to analyze demographic aspects regarding the audience and measure the level of satisfaction towards the advertisement, among others.

Recommended articles

✎ In an era where the digital environment is in a constant change, it`s hard to see what your future data will look like. Valentina Pavel, PI Mozilla-Ford Fellow shows us possible scenarios.
✎ Lydia F. de la Torre analyses the Google de-listing decisions in this Medium article.
✎ Wi-fi tracking- what are three consequences of this practice.
Influencer marketing is a new exciting tool on the market that comes with a lot of GDPR consequences.
✎ Many apps send personal data to Facebook automatically, including health apps.
✎ There are a lot of myths when it comes to any important subject and GDPR is no exception. Here are some of them.
✎ Privacy threats from inside the organization are analyzed in this article on the IAPP website.