Data Protection Insider, Issue 20

– ECtHR and Disclosure of Politicians’ CVs –

On 26th March, the ECtHR issued a ruling concerning the balance between the right to privacy (Article 8 ECHR) and the right to freedom of expression (Article 10 ECHR). According to the facts of the case, a Ukrainian NGO – the Centre for Democracy and the Rule of Law – requested copies of the CVs of six elected politicians following the 2014 Ukrainian Parliamentary elections in order to examine the integrity of these politicians. The NGO was especially interested in their education and previous work experience. The authorities denied the request on the grounds of confidentiality. The applicant NGO argued that this refusal interfered with their right to freedom to receive information – in particular given their role as a watchdog in rule of law matters. The ECtHR ruled that there was an interference with Article 10 ECHR and that this interference was not necessary in a democratic society. The ECtHR asserted that domestic decisions on the case had failed to carry out an adequate balancing of the interests at stake. As the ECtHR observed, although the domestic fora had examined the effects of the non-disclosure of the CVs on the NGO’s freedom of information rights, they failed to examine “the degree of potential harmful impact on the politicians’ privacy”. In this regard, the ECtHR highlighted that, in this case, the impact was likely to be minimal. The case is significant for 2 reasons. First, the case is a welcome addition to the ECtHR’s jurisprudence on privacy and freedom of expression in politics. The case reaffirms – unsurprisingly – that political actors’ privacy should only prevail over freedom of expression if disproportionate harms to privacy can be established. Second, the facts of the case demonstrate how the right to privacy can easily be abused by national authorities to refuse access to information vital for public debate and for upholding the rule of law.


 – European Commission Sends Draft of Partnership Agreement to UK –

On 18th March, the European Commission sent a first draft of the Agreement on the New Partnership to the United Kingdom. The Agreement makes numerous references to data protection. Three types of reference are particularly noteworthy. First, the Agreement recognises the need for both parties to recognise the fundamental right to data protection and to ensure a high level of protection for personal data – see, for example, Articles COMPROV.10 and DIGIT.7. This first recognition it particularly significant – and perhaps controversial – given that, following Brexit, there will be no fundamental right to data protection in the UK legal order. Second, the agreement recognises the powers of each party to regulate independently on data protection issues – see, for example, Articles GRP.1 and DIGIT.3. Finally, the Agreement recognises the significance of data protection provisions in specific processing sectors. For example, the Agreement references to the need for adequate data protection in relation to law enforcement and judicial cooperation in criminal matters – including a requirement, in Article LAW.GEN.4, that: ‘Transfers of Passenger Name Record…may only take place where…in accordance with Article 45 of the [GDPR]…that the United Kingdom…ensures an adequate level of protection’. The statements in the draft Agreement should be taken with caution. This is just a draft, released at an early stage in negotiations, and will doubtless go through many iterations before a final, agreed upon, version emerges – if a final version can be agreed upon at all. Given the current situation, it is hard to say when further iterations of the Agreement will appear. The outbreak of the corona virus is currently the focus of political efforts – both at EU and UK level. This focus likely leaves little capacity for political discussion of the Agreement.


– Brave Launches New Case Against Google –

Brave has filed a case with the Irish DPA concerning Google’s personal data processing practices. Brave assert that Google collects personal data from users via several different Google services and then uses the data, collected from each individual service, across a range of the company’s services. Brave asserts that this merging of data streams is problematic from an EU data protection law. In particular, Brave sees the practice as a violation of the purpose limitation principle under Article 5(1)(b) of the GDPR. Brave assert that, whilst Google does elaborate purposes connected with each collection of personal data, these elaborations are: ‘so vaguely defined as to have no meaning or limit’. It will be fascinating to see how the complaint proceeds and is resolved. From a data protection law perspective, the case is fascinating as it revolves around the purpose limitation principle. Whilst the principle sits at the core of EU data protection law, it remains the subject of considerable uncertainty. For example, the GDPR leaves open critical questions as to what the legitimate scope of compatible processing is – according to Articles 5(1)(b), 6(4) and Recital 50 – and whether such compatible processing requires a new legitimation under Articles 6 and 9. From a broader perspective, the case is fascinating as, if successful, it would likely mean the need for the data giants to implement some degree of functional separation of data streams – no more unfettered merging of data from multiple services. This would have significant impacts on the power of such companies in relation to the rest of the market. This would, thus, constitute a significant change to the landscape of the data economy.


 – Overview of DPA Responses to COVID-19 –

In considering the relationship between data protection law and the COVID-19 outbreak, responses by Member States’ Data Protection Authorities are of key interest. With this in mind, we would point the interested reader to the overview of the DPA responses put together for the EDPL. The overview focuses on the following topics: tracking of location data, the processing of health data by public authorities, the processing of health data by employers, data protection in the framework of employees doing home office, (unsolicited) government contact via electronic communication and (public) information about infected persons. The overview concludes that DPAs are keen on providing data protection guidance and upholding data protection in times of crisis. The overview also concludes that, however, due to the current state of emergency, DPAs do not always coordinate responses and guidance sometimes diverges. As a consequence of this divergence, the level of protection suggested by DPAs differs across countries. 


– The Thin Line between Monitoring COVID-19 and Disproportionate Surveillance –

The EDPS has offered a response to an inquiry by DG CNECT concerning the possibility to process anonymised telecommunications data for the purposes of fighting COVID-19. In this response, the EDPS raises three significant points. First, the EDPS emphasising the importance of effectively anonymising the telecoms data in question. Second, the EDPS highlights the need to upholding data security standards even when processing anonymous data. Third, and most importantly, the EDPS highlights that any derogations from generally applicable rules on data processing should remain exceptional and should be terminated once the COVID-19 outbreak is under control. Thus, the EDPS advises that the telecommunications data in question should be deleted as soon as they are no longer needed and that the exceptional measures should not persist following the outbreak. This message is of critical importance as surveillance measures, once adopted, are often left in place after their original justification is no longer valid – for example the surveillance measures put in place following large scale sporting events. This concern echoes concerns voiced by privacy activists, who have been critical towards the acquisition of telecommunications data by Member State authorities – for example in Austria and Germany – to combat COVID-19. In this regard, the processing of telecommunication data in the framework of COVID-19 is reinvigorating the debate on data retention – which started several years ago in the framework of the fight against terrorism.


– EDPS Closes Investigation into European Parliament 2019 Elections –

On 23rd March, the EDPS issued a press release confirming that it had ‘closed its investigation into the European Parliament’s use of a US-based political campaigning company to process personal data as part of its activities relating to the 2019 EU parliamentary elections.’ The investigation – covered previously in this newsletter – concerned data collection and processing through the website The website had been set up by the European Parliament as part of its 2019 elections campaign in order to encourage citizens to vote. The website, however, collected data from the EU citizens – 329,000 in total – who visited the site and sent this data, for further analysis, to the US company NationBuilder. The EDPS launched an investigation to evaluate the degree to which the website’s data processing practices aligned with EU data protection rules – not least because of previous controversy associated with NationBuilder. The investigation resulted in a series of recommendations from the EDPS to the European Parliament. According to the EDPS, the investigation led to several changes in the way the European Parliament approaches the processing of citizens’ personal data. These changes concern the way in which personal data collected through the website in question are processed. These changes also concern the general awareness of the European Parliament as to the degree of care needed in processing citizens’ personal data. The contract with NationBuilder came to an end in July 2019. One would presume the European Parliament will, in future, be more cautious as to how personal data concerning EU elections is processed.


– Further Cancelations and Delays Due to COVID-19 –

In view of the continuing COVID-19 outbreak, several significant data protection events have been cancelled or postponed. Two stand out. First, following the cancellation of the March 2020 EDPB Plenary Meeting, the EDPB has now also decided to cancel its April 2020 Plenary Meeting. There is no information as to whether the members plan to hold virtual meetings in order to continue issuing opinions and guidelines. Second, the Commission has announced a delay in issuing its two-year review of the GDPR. The review is now expected in June 2020 rather than in April 2020. Whilst the reasons for this delay are not explicitly named, it is presumed that they are also due to COVID-19.


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort