Data Protection Insider, Issue 11

– The EDPS on E-evidence and on Data Controllership within the EU –

Last week, the EDPS issued two documents:

1. Opinion on Proposals regarding European Production and Preservation Orders for electronic evidence in criminal matters. In this opinion, the EDPS calls for a balance between fighting crime and for respect for fundamental rights. The EDPS pays special attention to the need for more robust safeguards – e.g. the increased involvement of the judicial authorities in executing Member States. The EDPS also recommends clearer definitions for categories of personal data which will be processed within the frameworks of European Production and Preservation Orders.
2. Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725. With these guidelines, the EDPS aims at helping EU institutions and bodies comply with Regulation 2018/1725 by clarifying the concepts of data controller, data processor and joint controller. The guidelines provide a checklist and flowchart dealing with the definitions which should help addressed entities determine their role. The guidelines further elaborate on the respective responsibilities of addressed entities – especially in relation to data subject requests. The EDPS suggests that other entities processing personal data – apart from the EU institutions and bodies – may also find the guidelines useful.

– UN Special Rapporteur Releases Health Data Standards –

Joseph Cannataci, the UN Special Rapporteur on the Right to Privacy, has unveiled a draft set of standards on the protection of health data. The draft is now open for consultation. The draft is intended to be internationally relevant and covers a huge range of issues and sectors concerning the processing of health data. In terms of both geographical scope and breadth of consideration, the standards are unique in the ecosystem of data protection instruments and standards. The standards are welcome for several reasons. Three reasons stand out: (i) the standards offer a comprehensive and cogent approach to the protection of health data unavailable elsewhere; (ii) the standards specifically address aspects of contemporary processing of health data processing largely unaddressed elsewhere – for example, the draft provides specific sections on Mobile Applications and on AI, Algorithmic Transparency and Big Data; (iii) the standards provide a subtlety of approach in dealing with the various types of data subjects of health data processing not provided elsewhere – for example, the draft provides specific sections on People Living with Disabilities and Health-Related Data, on Gender and Health-Related Data and on Intersectionality and Health-Related Data. Given their breadth and quality, the standards will hopefully become an influential soft-law instrument guiding policy makers and practitioners concerning health data.

 

– Candidates Announced for EDPS Vacancy –

Following an initial selection procedure by the European Commission, the shortlist of candidates for the vacant EDPS position has been announced. The candidates are:

– Yann Padova (France)
– Endre Szabó (Hungary)
– Wojciech Wiewiórowski (Poland)

According to Article 53 of Regulation 2018/1725 – the Data Protection Regulation for EU Institutions – the shortlist of candidates will now be considered in the European Parliament. Specifically, the shortlist will be considered in front of the Committee on Civil Liberties, Justice and Home Affairs – the relevant Parliamentary committee dealing with matters of EU data protection law. The Committee will now hold public hearings for each candidate before expressing a preference. The person chosen to be EDPS will play a significant role in shaping the European data protection landscape. In the first instance, the EDPS is a key office in European data protection law and the person occupying the office will have considerable influence. In turn, the EDPS has broad leeway in deciding which topics they engage with, how they substantially position themselves in relation to these topics and how they communicate their positions.

 

– Huge Fine for Infringement of Privacy-By-Design –

On 30th October 2019, the Berlin DPA issued the highest fine thusfar handed down in Germany under the GDPR: €14,5 million. The fine was issued against the real estate company Deutsche Wohnen for violating the principle of data protection-by-design (Articles 5 and 25(1) GDPR) and for storing personal data without a legal basis (Article 6 GDPR). The systems on which the data was stored purportedly did not have a deletion option and the data was stored long after it had fulfilled the purpose for which it was collected. The illegitimately processed personal data included copies of salaries, bank statements, tax information and social and health insurance information. Personal data was stored both on individuals living in the company’s properties as well as those who had only applied for accommodation. Deutsche Wohnen has declared that it will appeal the decision. In its defense, the company emphasized the fact that it had not disclosed the contested data to any third parties. The case has several interesting features. Three stand out: (i) the DPA used the new DSK method for calculating the size of the fine – discussed in the previous issue of Data Protection Insider; (ii) the case represents one of the first times a fine has been handed down for a breach of the data protection-by-design principle; and (iii) the fine may have significant implications for private landlords.

 

– The Growing Debate on Facial Recognition in the EU –

In the past two weeks, there has been a flurry of DPA activity on the topic of facial recognition (FR): the Swedish DPA approved the usage of the technology by its police forces; the ICO expressed reservations as to whether certain uses of the technology by UK police forces would be legal; the CNIL declared the planned trial of facial recognition in two French schools as illegal; and the EDPS raised general concerns about facial recognition. Interestingly, the opinions of the different DPAs issued in the past weeks hint at the emergence of different approaches to FR – although, admittedly, substantive comparisons are hard to draw as neither the specific use cases considered, nor the relevant national legal frameworks are exactly equivalent. This flurry of activity also raises broader questions. Two sets of questions seem particularly relevant. First, to what degree should FR be regarded as a problem for data protection alone and, consequently, to what degree should FR a matter to be left to DPAs alone? Can the significant potential of FR technologies to shift power relations between individuals and data controllers be effectively managed through data protection law and DPAs? Second, why have discussions on FR picked up so dramatically in the last months? From a substantial perspective, why has FR technology has been allowed to dynamically evolve for so long without an equally dynamic substantive debate on its fundamental rights implications? From a political economy perspective, which factors have combined to launched FR into the limelight – is it the legal change to the GDPR and its explicit listing of biometric data, is it the expansion in the practical use of FR and its increasing public exposure, is it that recognition of the threat FR poses to core values has reached critical mass or is it something else altogether?

 

– Irish DPA Investigates Social Media Micro-Targeting –

The Irish Data Protection Commissioner, Helen Dixon, has stated that the Irish DPA is conducting several investigations into the use of social media micro-targeting – the practice of creating detailed profiles of users and using these profiles to deliver targeted content. The investigations span a broad range of actors engaged in the practice of micro-targeting including social media platforms, data brokers and ad exchanges. The core of the investigations will revolve around the data protection principles of lawfulness and transparency. The Commissioner highlighted the significance of the investigations by reference to the potential of micro-targeting to amplify the consequences of the spread of misinformation and to influence elections. These investigations are interesting for several reasons. Three are particularly noteworthy. First, the investigations further enhance scrutiny around the ad-tech ecosystem – investigations are already underway in other EU Member States. Second, the investigations constitute another strand in the already broad range of activities engaged in by the Irish DPA. The breadth and energy of the DPA is impressive. However – at least from an outside perspective – current activity seems to be at odds with the traditionally tech friendly approach to data protection in Ireland. Finally, the investigations raise further questions about the boundaries of the purposes and capacity of data protection law. To what degree, for example, should the weight of regulating misinformation sit on the shoulders of data protection? To what degree should the substantive rights and wrongs engaged by the distribution of misinformation be resolved through data protection-procedural considerations such as transparency and lawfulness?

 

Über

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort