Data Protection Insider, Issue 30

– EDPB Handles First Dispute Resolution Case –

The Irish DPC has triggered, for the first time, the dispute resolution mechanism under Article 65 GDPR. The case concerns the Irish DPC’s investigation into, and decision on, a data security breach by Twitter – for which it acts as a lead supervisory authority. As a matter of substance, the disagreement seems to be about the sanction to be imposed on Twitter. However, no further information is available. The dispute resolution mechanism is meant to solve conflicts of opinion between the lead DPA and the other concerned DPAs, in which case the EDPB should take a binding decision by a 2/3 majority. The EDPB’s final decision is supposed to be adopted within 2,5 months at latest after the mechanism has been triggered. Some experts note that triggering the dispute resolution mechanism is a positive sign that the GDPR is being interpreted and applied consistently throughout the EU and that it is surprising that it took so long for the mechanism to be triggered. We note that such dispute resolution cases might make it politically more challenging for the companies under investigation to influence the outcome of investigations concerning them as well as to have them overturned afterwards.


– ICO Releases Findings of Data Protection Survey –

On 27th August, the ICO released its Annual Track survey results. The Annual Track is a yearly survey of over 2000 people, commissioned by the ICO, on the subject of data protection. The results of the survey provide vital empirical data on the public’s perception of data processing and data protection – data often absent from data protection discussions – and make interesting reading. Amongst other things, the ICO found that: ‘There has been a significant shift towards the middle ground in terms of the public’s trust and confidence in companies and organisations storing and using personal information. Levels of both high and low trust and confidence have decreased…The data protection concerns of most importance to the public and which would most stop them using a company/organisation are having their personal information stolen or shared/sold to third parties and being a victim of fraud/scams…There is substantial appetite to exercise both data protection and Freedom of Information Act (FOIA) rights, but there is often uncertainty around how to do this…[and]…The public are often willing to trade personal information for access to products and services’. It would be interesting to consider whether the findings of the survey remain valid for other European countries as well as to consider how the findings in the survey compare with other, previous, surveys.


 – Special Rapporteur to Consider Children’s Privacy –

Joseph Cannataci, the UN Special Rapporteur on the Right to Privacy, ‘has decided to examine the privacy rights of children and how this right interacts with the interests of other actors as the child develops the capacity for autonomy’. In this regard, the Special Rapporteur calls for submissions from all interested stakeholders ‘in order to obtain a wide range of perspectives to inform the research’. The result of the process will be the publication of a report, which will be presented to the Human Rights Council in March 2021. The Special Rapporteur provides a list of topics stakeholder contributions might cover, including: ‘Parental, familial, community, governmental, commercial and other interests that influence the development of the child and their autonomy;…Official identity recognition including but not limited to birth registration and other official identity papers;…The development of personal identity (or ‘self’) including gender identity and expression; The strengths and challenges of ‘age based’ and ‘age verification’ approaches.’ Written contributions, ideally in English, should be received by 30th September 2020 – addresses for submissions are listed in the link below.


 – The Austrian DPA, Legal Persons and Data Protection –

The Austrian DPA recently held that ‘a legal person has the constitutional right to data protection under § 1 DSG (Austrian Data Protection Act) and is entitled to lodge a complaint before the DSB’. The case concerned a company which complained to the Austrian DPA that their personal data had been unfairly processed by the Austrian Federal Office for Safety in Health Care during an audit. Although the complaint was eventually rejected on substantive grounds, the DPA did recognise the company’s standing as a subject under the Austrian Data Protection Act. The case was decided by a DPA, concerns local law and norms and has apparently received little attention around Europe. Nevertheless, the European data protection community should take note. The decision recognises the legitimacy, and constitutional value, in providing legal persons with data protection. In doing so, the recognition reminds us that provision of protection to legal persons is conceivable under EU data protection law. This is a possibility with a long history in Europe and which raises numerous interesting conceptual and practical questions. It is also, however, a possibility seldom discussed since the GDPR has entered into force.


– GDPR Fines Drop in Q2 2020 –

A report by IT Governance notes that, in Q2 of 2020, EU DPAs have issued fines totalling only 2.9 million Euros. This number constitutes a significant drop from the 49 million Euros in fines issued in Q1. It appears that Spain issued the highest number of fines. Some have argued that the drop in the amount of fines is to be attributed to COVID-19. At the same time, they acknowledge that not all countries consistently report on their fines and thus the numbers might in fact be higher than suggested by the report. We note that the drop in the amount of fines might also be attributed to the fact that some investigations take a longer time due to the complexity of the case, which might lead to increases in the fines in subsequent quarters/years. It is interesting that a record is being kept on the matter of fines, as they have been praised as one of the novelties of the GDPR supposed to lead to higher compliance and a deterrent effect on data protection violations. It would be interesting to study their impact long-term.


– Real-Time Bidding Challenged –

Oracle and Salesforce are facing a multinational multi-billion-euro legal challenge. The challenge has been brought by the Privacy Collective on behalf of millions of internet users and has been submitted at the District Court of Amsterdam. A legal complaint will supposedly also be submitted at a later date in the UK. In substance, the complaint concerns real-time bidding – in the course of which adtech companies collect information about the internet usage of individual users via cookies and then sell them to advertisers. Whereas a huge number of companies engage in such practices, the Privacy Collective claims that Oracle and Salesforce engage in the practice without proper consent and without adequately informing internet users. Both companies deny the allegations. To the best of our knowledge, this is one of the rare instances of a collective action – provided for under Article 80 GDPR. We note that regardless of the outcome of the challenge, the emergence of such non-for-profit organisations engaging in the investigation of possible violations of the GDPR sends a strong signal that the GDPR’s remedial mechanisms are growing in use. In addition, we note that the fact the legality of specific adtech practices is challenged represents a general trend in scrutiny over adtech.



DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort