Data Protection News: January 2020

CPDP 2020 Highlights

Each January marks the Computers, Privacy and Data Protection Conference (CPDP), an international event gathering the most important stakeholders in the field. This year, the main theme of the event was Artificial Intelligence, with its multi-faceted approaches: banning or regulation, risks and possible mitigation measures, privacy threat or privacy enhancer, a silver lining for humanity or the sign of imminent destruction. With such a hot topic, the 5-stage event was filled with AI supporters, skeptics and fence-sitters.

But it was not all about AI – some panels discussed subjects such as consumer protection in the context of social media and online trackers, privacy concerns in the application of PSD2, adtech, data security, the one stop shop mechanism, children’s privacy and many others (see the full schedule here). Luckily for those who could not make it or discover the science of being in 5 places at the same time, the CPDP recorded the panels and made them all available online.

These are our favorites among the panels we attended:

The Future is Now: Autonomous Vehicles, Trolley Problem(s) and How to Deal with Them
The trolley problem is obsolete – right now the autonomous vehicles industry is facing important questions about regulation and access to divers’ data. Andreea Lisievici (Volvo Cars) saliently points out the main concerns of manufacturers.

The One-Stop-Shop: Twenty Months On
Max Schrems talked about the many hurdles of the GDPR one stop shop mechanism and cooperation amongst data supervisors. If a decision is made by a supervisor in a different Member State than the one where the data subject is located, this has the potential of becoming a procedural nightmare when it comes to making appeals.

Is ethical adtech possible? Navigating GDPR enforcement challenges in real-time bidding complaints
Ster, the agency handling advertising for the public broadcasting system in the Netherlands presented an innovative way of displaying contextual advertising without needing to place cookies or other trackers to profile the audience. The ads are shown depending on the content of the page rather than the profile of the viewer.

We’re also engaging with the privacy professionals community through our LinkedIn company page, so please follow us if you want live updates on relevant privacy issues in Romania.

Brexit & GDPR

The UK has left the EU on 31 January and entered into a transition period which will last until the end of December 2020. Naturally, remaining EU entities are concerned about the legal regime of cross-border data processing in this new scenario.

The ICO has issued a statement on data protection and Brexit, indicating that until the end of the transition period, it will be “business as usual for data protection” with regard to entities in the UK. However, fingers are crossed for an adequacy decision from the European Commission, although there are no official signs yet pointing in this direction.

In the absence of a future adequacy decision, transfers to the UK will be treated as third country personal data transfers and will have to comply with the restrictions in Chapter V of the GDPR.

Extra resources: check out this free webinar by 2040 Training on Brexit and the future of the GDPR application.

EDPB: CCTV guidelines

The EDPB has published its much-expected final video surveillance guidance, after public consultation.

The document treats video monitoring irrespective of its purpose – however, much space is given to analysing the data processing for safety and crime prevention.

Key takeaways:
◽️ The document discusses the case when the monitoring exceeds the physical limits of the property.
◽️ Guidance is provided to evaluate necessity and to balance the rights and freedoms of individuals.
◽️ Specific recommendations are made regarding the treatment of personal data access requests.
◽️ Examples are provided on the topic of transferring the video footage to third parties, for different purposes, as well as on the topic of what it means to process special categories of data through CCTV surveillance.

AI Resources

🎓 Norwegian Ministry of Local Government and Modernisation: The National Strategy for Artificial Intelligence.
🎓 European Commission, Joint Research Centre: Robustness and Explainability of Artificial Intelligence. From technical to policy solutions (direct download link).
🎓 Read the European Commission Intellectual Property and Artificial Intelligence – A literature review.
🎓 The ICO warns – police force needs to slow down the implementation of live facial recognition and justify its use.
🎓 Medium: Black-Boxed Politics: Opacity is a Choice in AI Systems.
🎓 The New York Times: The Secretive Company That Might End Privacy as We Know It – an investigation about Clearview AI, the face recognition app.
🎓 ZDNet: What is AI? Everything you need to know about Artificial Intelligence.

Cookies & Adtech

🍪 The CNIL publishes updated draft guidelines on cookies.
🍪 The Finnish Transport and Communication Agency published guidance on the use of cookies.
🍪 ICO Blog: Adtech and the data protection debate – where next?
🍪 German Data Protection Authorities (DSK) discuss, among other, wide inspections of media websites that use online tracking tools.
🍪 The Norwegian Consumer Council (Forbrukerrådet) publishes an extensive report on the violation of consumer rights by the online advertising industry.
🍪 The Belgian DPA litigation chamber decides on a case concerning the use of cookies (see here a summary in English).
🍪 Forbrukerrådet: New study: The advertising industry is systematically breaking the law.
🍪 Karolina Iwańska: 10 Reasons Why Online Advertising is Broken.

Guidelines & reports

✒️ North Rhine-Westphalia DPA answers FAQ on the DPO (read here an article in English). The DPA provides examples of conflict of interest and rejects the possibility that a legal person might be a DPO.
✒️ Irish DPC blog: Data Protection on the Campaign Trail.
✒️ The ICO launches consultation on draft direct marketing code of practice.
✒️ Saxony DPA considers that the “remember me” default setting for websites and apps violates the GDPR privacy by design and by default principle (see here an article in English).
✒️ The Council adopted its position and findings on the application of the General Data Protection Regulation (GDPR) (direct download).
✒️ The CNIL finds it excessive to use CCTV in schools for systematic and continuous surveillance.
✒️ Finnish DPA publishes FAQ section in English.
✒️ EDPB issues Opinion 5/2020 on the draft decision of the Luxembourg National Data Protection Commission regarding the approval of the requirements for accreditation of a certification body.
✒️ The EDPB responds to MEP Sophie in’t Veld’s letter on unfair algorithms.
✒️ ENISA publishes report on the main supervision changes brought by the European Electronic Communications Code.
✒️ German Federal Commissioner for Data Protection and Freedom of Information (BfDI) provides views on encryption as recommended security measure (article in English).
✒️ ENISA publishes an online tool for evaluating the level of risk for a personal data processing operation.
✒️ The ICO issues guidelines on standards for internet services intended for children – read here a summary by Fieldfisher.
✒️ The Irish DPA comments on whether data protection law can apply to opinions.
✒️ The European Banking Authority (EBA) issues report on key challenges in the roll out of Big Data and Advanced Analytics.
✒️ The Draft for a Code of Conduct on the use of GDPR compliant pseudonymisation, initiated by the German Ministry of Internal Affairs, is available in English.
✒️ Data Protection Authority for the State of Saarland (Germany) examined the use of WhatsApp by public institutions in their communications with citizens (read here an article in English).
✒️ The Data Protection Authority (DPA) of Saxony considers that the deployment of a penetration testing requires the conclusion of a data protection agreement with the third party contractor (read here an article in English).
✒️ ICO guidance: What is NIS?

Case-law & legislation

⚖ New EU rules for protecting consumers enter into force. Read more about the EU’s New Deal for Consumers.
⚖ Fieldfisher publishes a table with processing activities which trigger the obligation to conduct a DPIA, based on national “DPIA blacklists” (direct download here).
⚖ The ECtHR decided in Breyer v. Germany on the legal obligation on service providers to store personal data of users of pre-paid mobile-telephone SIM-cards and make them available to authorities upon request (legal summary available here).
⚖ The CJEU Advocate General Campos Sánchez-Bordona delivered the Opinion in case C‑78/18 (European Commission v Hungary) concerning the national law which required transparency for donations from abroad made to certain NGOs. The AG finds the measure “unjustified and disproportionate interference with the rights of those who make donations to respect for their privacy and to the protection of their personal data”.
Geo-blocking sanctions in e-commerce are finally provided in Romanian legislation.
⚖ The interaction between PSD2 and GDPR is analyzed in this article by Dilja Helgadottir.
⚖ The Saxon State Labour Court in Germany ruled on the dismissal of a DPO (see here an article in English).
⚖ The Wertheim Local Court in Germany imposed a penalty on a company for failing to comply with a personal data access request (see here an article in English).
⚖ Berlin Court rules that Facebook’s privacy settings and part of its terms and conditions violate consumer protection legislation. The violations refer to the use of photos for commercial purposes, default geolocation in the chat function and profile visibility for search engines.
⚖ Also, in Italy, Facebook is threatened with a fine of 5M Euros by the national competition authority. The concern is the continued lack of transparency regarding the use of personal data by the social network.
⚖ The European Court of Human Rights hears case against Hungary on the topic of freedom of expression, in the context of a political party’s mobile app which allowed voters to photograph, upload and comment on invalid votes cast during a 2016 referendum (read here the press release).
⚖ German court rules on illegal use of an employee’s photo on Facebook, after the employment relationship ended (red here an article in English).

GDPR enforcement actions

🔥 A pharmacy in London was fined for careless storage of patient data. The pharmacy left thousands of documents in unlocked containers at the back of its premises.
🔥 The Hungarian DPA has fined an organization for the unlawful search in the archived e-mail account of a former employee (see here an article in English).
🔥 The ICO continues its oversight of real time bidding (RTB) in adtech, as important actors have pledged to resolve issues raised by the authority.
🔥 The Austrian DPA found a violation of GDPR in the case of a dating website which did not use an e-mail double opt-in mechanism (article in English).
🔥 The Italian DPA fined Eni gas e luce with 11.5 M Euros for unsolicited telemarketing and activating contracts without request.
🔥 H&M risks fine in Germany for recording sensitive data of employees and storing it in such ways that all the managers had access.
🔥 The Italian DPA calls for an EU task force to tackle the privacy risks posed by the TikTok social network.
🔥 The Cypriot DPA banned the use of a human resources automated tool which scored the types of sick leaves and profiled employees based on this criteria.

More data protection news

💬 Bird&Bird launches useful online resource for GDPR and HR.
💬 The Privacy Icons Forum was launched, which is “a collaboration of institutions that focus on the development, design and implementation of data privacy and data protection icons.
💬 A supermarket chain is being targeted by the Belgian DPA in connection to the use of biometric payments.
💬 The Norwegian Consumer Council (Forbrukerrådet) is filing formal complaints against Grindr and five companies that were receiving personal data through the app.
💬 Read this post by Greet Gysen: Getting data subject rights right.
💬 Trans Atlantic Consumer Dialogue: Privacy in the EU and US: Consumer experiences across three global platforms.

Recommended articles

📰 Future of Privacy Forum publishes its selected award winning papers: “Antidiscriminatory Privacy” and “Algorithmic Impact Assessments under the GDPR”.
📰 Reuters: Strip searches and ads: 10 tech and privacy hot spots for 2020.
📰 Revision/Legal: Data Breach Litigation: Theories of Damages in Data Breach Cases.
📰 Bird&Bird: What exactly is a Digital Service Provider in the context of NIS Directive?
📰 The Washington Post: How we survive the surveillance apocalypse.
📰 Paolo Balboni: Joint Controllership: A collection of recent guidance.
📰 The Guardian: Fresh Cambridge Analytica leak ‘shows global manipulation is out of control’.
📰 Lydia F de la Torre on Medium: Right to delete under CCPA.
📰 Privacy International: Cloud extraction technology: the secret tech that lets government agencies collect masses of data from your apps.
📰 European Law Blog: International data transfers, standard contractual clauses, and the Privacy Shield: the AG Opinion in Schrems II.
📰 Jones Day: Global Privacy & Cybersecurity Update.
📰 HARVARD Kennedy School: Technology Factsheet: Internet of Things.
📰 BBC: Ring doorbell ‘gives Facebook and Google user data’.
📰 According to ZDNet, a class action has been brought in the US against Clearview, the firm that scrapes social media for person’s photos.
📰 Research quoted by ZDNet shows that a large number of Android apps contain self-contradictory language in their privacy policies in regards to data collection practices. Part of the problem is using auto-generating privacy policy templates available on the internet.
📰 Cornell University: Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.

Our newsletters are available for information purposes only and cannot be relied on as legal advice.