Data Protection Insider, Issue 17

– European Parliament Discuss Californian Adequacy –

Earlier this month, the European Parliament discussed the third annual review of the Privacy Shield agreement. The discussion was lengthy and several interesting, and differing, viewpoints, were presented. In the course of the discussion, however, one particularly interesting question emerged: should the Privacy Shield agreement ever be struck down, could California receive adequacy on its own? The discussion naturally emerged on the back of recognition of the strength, compared to federal protection, of the new Californian state data protection law, the CCPA. The discussion is interesting for several reasons. Two stand out. First, the discussion highlights the seldom-considered possibility for states, or territories, within countries, to apply for adequacy separately from the country itself – recall the discussions as to the adequacy of Quebec in 2014. Second, the discussion gives pause for serious reflection on the CCPA and other relevant Californian law, and their compatibility with European data protection laws. In the first instance, despite the fact the CCPA has been largely lauded in Europe for the strength of protection it offers, and even though it has even been referred to as a US GDPR, there remain significant differences between the CCPA and European data protection laws. Compare, for example, the scope of the CCPA as providing protection for consumers’ personal data and the scope of the GDPR as providing protection for natural persons’ personal data. In turn, even if the CCPA were a carbon copy of the GDPR, California is still a state in the US. Accordingly, California is still subject to federal laws. Some of these laws have been highlighted as problematic for EU data protection standards in the past and would need to be taken into account in any state adequacy process in the future.


 – ECtHR on the Retention of DNA Profiles, Fingerprints and Photographs –

On 13th February, the ECtHR ruled on the case of Gaughran v. The United Kingdom. The facts of the case were as follows: the applicant was arrested and convicted for drunk driving in Northern Ireland. In the course of his arrest and conviction, a range of personal data was taken from him, including: his DNA, from which a DNA profile was created; his fingerprints; and a photograph. This personal data was then retained for an indefinite period under national legislation. The applicant alleged that the indefinite retention of this data constituted a disproportionate interference with his Article 8 right to respect for private life. The Court unanimously ruled an interference had taken place. In this regard, the Court reasoned that ‘the indiscriminate nature of the powers of retention of the DNA profile, fingerprints and photograph of…[a] person convicted of an offence, even if spent, without reference to the seriousness of the offence or the need for indefinite retention and in the absence of any real possibility of review, failed to strike a fair balance between the competing public and private interests.’ The case is interesting for several reasons. Two deserve mention. First, the Court highlighted the unique post-mortem, familial, privacy interests engaged by DNA profiles. Specifically, the Court highlighted that an indefinite DNA profile retention scheme was not comparable to an indefinite fingerprint or an indefinite photo retention scheme as DNA profiles could allow information on genetic relatives to be extracted and processed long after an initial donor had died. Second, the Court highlighted the significance of facial recognition technologies as transformative of the degree of interference with fundamental rights implied by the retention of photographs.


– ECtHR on the Retention of DNA Profiles (Again) –

On 13th February, the ECtHR ruled on the case of Trajkovski and Chipovski v. North Macedonia. The facts of the case were as follows: in the course of their arrest and conviction for theft, the two applicants had DNA samples extracted from them. The DNA profiles created from these DNA samples were then retained by national law enforcement authorities. The applicants alleged the extraction and retention of, respectively, their DNA samples and DNA profiles, constituted an infringement of their Article 8 rights to respect for private life. In particular, they applicants alleged there was no clear legislative framework governing such extraction and retention in North Macedonia. The Court unanimously found an interference had taken place. In this regard, the Court argued that: ‘the blanket and indiscriminate nature of the powers of retention of the DNA profiles of the applicants, as persons convicted of an offence, coupled with the absence of sufficient safeguards available to the applicants, fails to strike a fair balance between the competing public and private interests.’ The case is less interesting than the similar case of Gaughran v. The United Kingdom (discussed above). The legal logic sticks closely to established principles in ECtHR case law and the facts of the case are such that the finding is unsurprising. Nevertheless, there are noteworthy aspects of the ruling. In particular, the Court asserted that ‘DNA material’ constitute personal data – reiterating their position in the Marper case. This assertion adds further legal weight to the argument that DNA samples and other biological material should be regarded as personal data in EU data protection law.


– ECtHR on Lawyer-Client Confidentiality –

On 4th February, the ECtHR ruled in the Krugov and others case concerning police searches of lawyers’ homes and offices. The fifteen applicants were lawyers and clients of the applicant lawyers. Of the lawyers, only one was under suspicion of having committed a criminal offence. The applicants’ alleged that the search warrants and/or the way the searches had been carried out were illegitimate and constituted a violation of their Article 8 rights. The ECtHR concurred and found a violation. The ECtHR asserted that the warrants and searches had an overly broad scope and that the domestic courts which had permitted them had failed to strike the right balance between the need for confidentiality in lawyer-client relationships and the need to investigate crime. In particular, the ECtHR highlighted that adequate safeguards to protect lawyer-client confidentiality were missing from the warrants and searches. For example, there was no sifting of data carried out to make sure investigating authorities did not obtain data unrelated to the cases being investigated. The reasoning of the ECtHR in the case was notable for several reasons. Two stand out. First, although the ECtHR asserted that Russian law complied with the “in accordance with the law” criterion, the ECtHR also highlighted – in somewhat contradictory manner – that Russian law did not protect all types of professional confidentiality. Second, as the ECtHR pointed out on several occasions throughout the judgment, the domestic authorities failed to perform adequate necessity and proportionality assessments. This observation is unusual for a case concerning Article 8 and Russia. In other such cases, the ECtHR has tended to focus on the “in accordance with the law” requirement and has refrained from looking at the necessity and proportionality of measures.


– EDPB Draft Guidelines on Connected Vehicles –

On 7th February, the EDPB published its draft Guidelines on Connected Vehicles and Mobility Related Applications. The draft Guidelines are welcome in dealing with an issue which is gaining in prominence and significance, as more and more types of vehicle integrate personal data processing systems. The draft Guidelines are also welcome in their holistic description of the data protection principles which are relevant in relation to connected vehicles and in how these principles might be discharged. With such a holistic approach, however, comes the natural downside that the depth of consideration of each provision is limited. For example, the Guidelines place a heavy emphasis on the need for data controllers to obtain consent from data subjects for processing in connected vehicle applications – according to Article 5(3) of the ePrivacy Directive. Yet, the Guidelines fail to provide any in-depth look at how consent might effectively be requested and obtained. Several aspects of the Guidelines are of interest. Two deserve mention. First, the Guidelines are directed at, amongst others, manufacturers. On the one hand, this makes sense as manufacturers are key players in setting the data processing parameters of connected vehicles and mobility related applications. On the other hand, however, recall that EU data protection law has never directly applied to manufacturers. Second, the Guidelines suggest that, if initial processing is legitimated based on consent, further processing, even if not foreseen at the moment consent has been obtained, cannot be legitimated based on compatibility under Article 6(4) GDPR. This is a novel conceptualisation of the limits of compatible secondary processing not found in law. The draft Guidelines are now open for public consultation. The consultation process will run until the 20th March 2020.


– Irish DPC Opens Probes into Google and Tinder –

The Irish DPC has opened fresh probes into Google and Tinder. The investigation against Google concerns the processing of location data and the transparency of this processing. The probe follows complaints by national consumer organisations lodged at the end of 2018. The investigation against Tinder concerns the transparency of the processing of users’ data and the handling of users’ requests to exercise data subject rights. The Irish DPC pointed out that the latter investigation is not a response to any one complaint. Rather, the investigation was sparked by numerous similar complaints. The Irish DPC are to be applauded for taking the issue of transparency and data subjects’ rights on platforms so seriously – even if the launch of the investigations took more than a year. The launch of the investigations is significant for several reasons. Two stand out. First: the investigations will likely result in the elaboration of specific principles concerning data subject transparency on platforms. Second: the investigations will likely result in clearer elaborations of how apps should realise users’ data subject rights. In this regard, the investigations may provide a forum through which to clarify whether platforms are required to disclose the mechanics of their profiling algorithms to users.


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort