EDPL Data Protection Insider 20.01.2022

- Another Surveillance Law ‘Bites the Dust’: the ECtHR on the Bulgarian Surveillance Law in Ekimdzhiev and Others v Bulgaria -

On 11^th January 2022, the ECtHR ruled that both the Bulgarian law on secret surveillance and the Bulgarian rules on retention and accessing of electronic communications data for law enforcement and national security purposes, as they currently stand, breach Article 8 ECHR. The Court first confirmed that the mere existence of the secret surveillance laws and the rules on the processing of the data by telecommunication providers and law enforcement authorities constitute an interference with Article 8 ECHR. It also noted that the contested laws had a wide scope of application and there were no safeguards to preclude their application to potentially anyone in Bulgaria. Hence, it decided to examine the applicable rules in abstracto. When examining the complaints, the Court noted that the actions in question had a legal basis in Bulgarian law and proceeded to examine the quality of the laws. It found the applicable laws insufficient on several grounds, the majority of which were similar for the secret surveillance laws and the rules on the processing of electronic communications data: (1) not all rules on data processing and destruction have been made public; (2) the authorising authorities are not able to ensure that the measures are implemented only when necessary in a democratic society; (3) the rules on the storage and destruction of the data were not clear enough; (4) the oversight authorities lacked the powers to effectively supervise the operation of the measures; (5) the notification arrangements were too narrow, e.g. providing for notifications only where the data had been processed illegally; and (6) no effective remedies were available. As a result, the Court ruled that the two examined interferences did not satisfy the ‘quality of the law’ requirement and that the law could not ensure that they were ‘necessary in a democratic society’, because they did not provide enough safeguards against abuse. We note that the ruling largely confirms the existing jurisprudence on secret surveillance measures, e.g. in Russia, Sweden and the United Kingdom.

https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-214673%22]}

- EDPS Orders Europol to Delete Data-

On 21^st December 2021, the EDPS adopted its first-of-a-kind order to Europol, namely ordering it to delete the personal data of persons who are not involved in a criminal investigation falling within the Europol mandate. As to the background of the case, according to the Europol Regulation, Europol may process the personal data only of certain persons, including those who are classified as suspects, victims or witnesses – which is essentially a data minimisation provision. However, in 2020, the EDPS noted in an admonishment letter sent to Europol that Europol had been processing Big Data, which, due to ‘their characteristics and notably their size’, have not been classified and thus could also include the personal data of individuals who are not related to a criminal investigation. In other words, the EDPS considers this to be a breach of the Europol Regulation. The EDPS observed that since the 2020 admonishment letter, Europol has failed to take satisfactory measures to delete the data lacking data subject classification. For these reasons, the EDPS has now ordered Europol to classify the non-classified data within six months of the decision and to delete the data which do not fall within any of the categories prescribed by the Europol Regulation. Data received after the decision must be deleted within six months of being found to be held illegitimately. Data already held by Europol must be deleted within twelve months of being found to be held illegitimately. In the meantime, the non-classified data may not be processed for any other purpose but classification, and Europol must update the EDPS every three months of the progress achieved in relation to data categorisation and erasure. The EDPS decision may be challenged in front of the CJEU. We note that it remains to be seen how the principle of data minimisation could remain a safeguard in relation to Big Data in view of the ongoing update of the Europol Regulation, as proposed in 2020, one of whose purposes is to allow ‘Europol to effectively support Member States and their investigations with the analysis of large and complex datasets, addressing the big data challenge for law enforcement authorities’.

https://edps.europa.eu/system/files/2022-01/22-01-10-edps-decision-europol_en.pdf

-EDPB Publishes Contribution to Law Enforcement Directive Evaluation-

On 14^th January, the EDPB adopted its ‘Contribution of the EDPB to the European Commission’s evaluation of the Data Protection Law Enforcement Directive (LED) under Article 62’. The contribution begins by offering a series of general ‘policy messages’. These include the top-level observation: ‘Taking into account that the past four years have been characterised primarily by the national processes to transpose the LED and that case law is only starting to be developed the EDPB considers that, in practice, it is a relatively early stage for a comprehensive evaluation of the implementation and application of the provisions of the Directive as transposed. Moreover, because of the recent implementation of the LED, on some parts of the LED, there is only limited experience and empirical data, differing across Member States. Therefore the EDPB recalls that it would be too early to draw conclusions on the effectiveness of this legal instrument and to even consider any revision of the LED at this stage.’ Among the policy messages, the EDPB also makes observations as to areas in need of work, such as, for example: ‘the EDPB sees the great need to provide further guidance in order to ensure the use of emerging new technologies by law enforcement authorities be in compliance with the Charter of Fundamental Rights and the LED.’ The contribution then proceeds to briefly describe the EDPB’s ‘Work According to the Tasks Listed Under Article 51 LED’ – concerning the ‘Tasks of the Board’. The main body of the report, however, consists of a summary of ‘contributions and replies by [Member State Supervisory Authorities] to each of the questions asked via [a] Questionnaire on the Evaluation of the LED sent by the European Commission’. This summary provides much useful information on the activity of Supervisory Authorities in relation to the LED and is well worth a look for anyone interested in data protection in the law enforcement context.

https://edpb.europa.eu/system/files/2021-12/edpb_contribution_led_review_en.pdf

-EDPB Publishes December Plenary Meeting Documents-

The EDPB has published the documents which they adopted during their plenary in December 2021:

• ‘EDPB contribution to the evaluation of the Law Enforcement Directive’;
• ‘EDPB response to MEP István Ujhelyi on the alleged use of the Pegasus spyware’;
• ‘Guidelines on examples regarding data breach notifications (following public consultation)’;
• ‘Opinion 39/2021 on whether Article 58(2)(g) GDPR could serve as a legal basis for a supervisory authority to order ex officio the erasure of personal data, in a situation where such request was not submitted by the data subject’.

The January plenary meeting is taking place on 18^th January 2022 and its detailed and ambitious agenda is already available on the EDPB website.

https://edpb.europa.eu/news/news/2022/december-plenary-adopted-documents_en

- CNIL Levies Massive Fines for Cookies-

Politico reports that the CNIL has announced it will levy massive fines on Google and Facebook in relation to their use of Cookies. The CNIL has announced ‘fines of €150 million for Google and €60 million for Facebook’. Specifically, the fines have been announced in relation to the companies’ failures ‘to allow French users to easily refuse cookies’. The fines relate to the CNIL’s enforcement powers under the e-Privacy Directive. Under the GDPR, the CNIL would not have constituted the main supervisory authority for the companies – this would have been the Irish DPC – and therefore would not have been able to act in such a forceful manner.

https://www.politico.eu/article/france-takes-bite-out-of-cookie-banners-with-fines-targeting-facebook-google/

- Meta Subject of Massive Class Action on Exploitation of Consumer Data -

Euractiv reports that Meta – Facebook’s parent company – is to be the subject of a massive class action suit. The suit will be brought on behalf of ‘44 million UK Facebook users’ in relation to Facebook’s activities with users’ personal data in the period 2014-2019. Euractiv reports that the ‘case will fall under the UK’s Competition Act, and…lawyers [will] seek compensation of at least £2.3 billion, plus interest’. More specifically, the suit claims that, in this period, all UK Facebook users paid ‘an “unfair price” for using the platform’ and therefore deserve compensation. The argument builds around the idea that Facebook occupies a dominant position in the market and that it has used this position to ‘exploit the personal data of British users’. Euractiv reports that ‘the suit will soon be filed before the UK’s Competition Appeal Tribunal, which will consider whether to allow the case to proceed to trial.’ How the suit is received and will progress remains unclear. However, its development should be followed with interest. The arguments involved touch on several key discussions concerning law and economies of personal data, not least: the monetary value of personal data, the relationship between data protection and competition law, and the limits of platform power.

https://www.euractiv.com/section/digital/news/facebook-faces-2-3bn-class-action-in-the-uk-for-data-exploitation/