– CJEU Rules on Consent in Orange România –
On 11th November, the CJEU ruled in the case of Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP). The case dealt with the issue of valid consent in telecommunications contracts. In this regard, Orange had required customers to sign contracts for services containing clauses concerning the collection and retention of copies of their personal identity documents. These clauses included assertions to the effect that the customer had been provided with adequate information as to the collection and processing of their identity documents and had consented to this collection and processing. This information, however, had only been provided to the customers verbally by sales representatives. These contracts could also, in principle, be concluded without the provision of identity documents, but only on the condition that the customer then filled in another form documenting this choice. ANSPDCP found this practice to be illegitimate and ordered Orange to destroy the copies of the documents it had collected. Orange challenged this decision in front of the Romanian courts. In relation to these proceedings ‘the Tribunalul București (Regional Court, Bucharest) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling: ‘(1)…what conditions must be fulfilled in order for an indication of wishes to be regarded as specific and informed? (2)…what conditions must be fulfilled in order for an indication of wishes to be regarded as freely given?’’. The CJEU’s responses will be unsurprising for all familiar with the conditions for legitimate consent in data protection law. The CJEU concluded: ‘A contract for the provision of telecommunications services which contains a clause stating that the data subject has been informed of, and has consented to, the collection and storage of a copy of his or her identity document for identification purposes is not such as to demonstrate that that person has validly given his or her consent, as provided for in those provisions, to that collection and storage, where…the box referring to that clause has been ticked by the data controller before the contract was signed, or where…the terms of that contract are capable of misleading the data subject as to the possibility of concluding the contract in question even if he or she refuses to consent to the processing of his or her data, or where…the freedom to choose to object to that collection and storage is unduly affected by that controller in requiring that the data subject, in order to refuse consent, must complete an additional form setting out that refusal.’
– Dupate v Latvia: ECtHR on Freedom of Expression and Privacy –
On 19th November, the ECtHR examined the balance between the right to freedom of expression (Article 10 ECHR) and the right to privacy (Article 8 ECHR) in the Dupate v Latvia case. According to the facts of the case, at the material time the applicant was the partner of a public figure – the chairman of a political party. The magazine covertly took pictures of the applicant leaving hospital with her new-born baby and published them. The applicant challenged the intrusion into her private life in front of the domestic courts, which dismissed her action because they believed that the published materials were an exercise of the magazine’s freedom of expression without unduly intruding into the applicant’s private life. For that reason, she submitted an Article 8 ECHR complaint. The ECtHR ruled that the domestic courts, while having examined the balance between the two rights, had not examined this balance in accordance with the relevant ECtHR criteria and thus ruled that there was a violation of Article 8 ECHR. More precisely, the ECtHR noted that: i) the published pictures did not contribute to any public debate; ii) the applicant was not a public figure herself and that she became the focus of attention merely due to her relationship with the father of the child; iii) even though the father of the child had provided information about the birth to the media, the pictures were not necessary to prove that information; iv) even though previously the applicant had not objected to information about her having been published, that fact should not have been seen as a general waiver of her right to private life; v) the materials were still of private nature, even if they did not depict the applicant in a humiliating manner; and vi) the pictures had been taken covertly, i.e. without her consent. We note that the case demonstrates the thin line between a fair and unfair balance between both rights and that the ECtHR will hold domestic courts to account concerning the criteria they apply in examining individual cases.
– EDPB Holds 41st and 42nd Plenary Session –
- Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (for public consultation)
- Recommendations on the European Essential Guarantees for surveillance measures
- Statement on the future ePrivacy Regulation – the document is not yet available on the EDPB website as it is undergoing linguistic, formatting and legal checks.
In addition, during the 42nd Plenary Session, the European Commission presented the draft SCCs between controllers and processors and the draft SCCs for personal data transfers outside the EU – see also below.
– Commission Releases Draft SCCs on Transfers to Third Countries –
On 12th November, the Commission released their preliminary draft of the updated Standard Contractual Clauses – only shortly after the EDPB released its Opinion on international transfers following Schrems II. There will now be a four-week period in which the public can provide feedback on the draft SCCs – the link to provide feedback follows below. Whilst attention to international transfers continues to focus on the fallout from the Schrems II judgment, the draft SCCs are nevertheless worth close consideration. In this regard, the IAPP offers several interesting observations on the draft clauses. Four of these observations stand out. First, the draft clauses are modular, and thus offer more flexibility than the current set of clauses. Second, whilst the current clauses cover transfers between controllers and controllers, and between controllers and processors, the draft clauses also cover transfers between processors and controllers, and between processors and processors. Third, the draft clauses facilitate the possibilities for multiple different data controllers or processors to be bound by the same clauses. Finally, whilst the draft clauses include considerations as to the impact of third country laws on the standard of protection provided to personal data, and how this relates to the standard of protection mandated by EU law, certain of these considerations do not sit easily with positions on these matters taken by the EDPB. This is the case concerning the degree of flexibility with which third country laws should be evaluated. Paragraph 20 of the draft SCCs suggests that controllers might take into account ‘any relevant practical experience indicating the existence or absence of prior instances of requests for disclosure from public authorities received by the data importer for the type of data transferred’ when evaluating the legitimacy of a transfer. The EDPB, however, warn against such considerations in evaluating the legitimacy of transfers.
– EDPS Releases Opinion on Child Sex Abuse Online –
On 10th November, the EDPS released its Opinion on the Commission Proposal for a regulation on temporary derogations from the e-Privacy Directive for the purpose of combatting child sexual abuse. In short, the Proposal concerns voluntary measures by the operators of online communications, such as instant messaging services, to detect child sexual abuse and report these to law enforcement authorities. In his Opinion the EPDS points out that the proposed measures clearly constitute an intrusion into the fundamental rights to privacy and data protection of all users of such messaging services. If adopted, they could serve as a model for other similar surveillance and reporting measures and thus should not be adopted without EDPS recommendations having been taken into account. On a more granular basis, the EDPS notes that, as it currently stands, the proposal does not clarify the legal basis for the personal data processing – which is problematic from a legality perspective and is not compliant with Article 15 (1) e-Privacy Directive. Furthermore – in resonance with CJEU case-law on surveillance measures – the EDPS recommends that “(i)n order to satisfy the requirement of proportionality, the legislation must lay down clear and precise rules governing the scope and application of the measures in question and imposing minimum safeguards, so that the persons whose personal data is affected have sufficient guarantees that data will be effectively protected against the risk of abuse.” The EDPS recommends that the proposal for derogations should have a shorter life-span – i.e. two instead of five years – because of the serious deficiencies identified by the EDPS. Finally, we note that the negotiations on the e-Privacy Regulation proposal, which are supposed to replace the e-Privacy Directive, appear not to have progressed sufficiently and there now seems no prospect of a deal by the end of the year. At the same time, the legislature is eager to adopt measures on e-communications, which makes the adoption of the e-Privacy Regulation even more urgent.
– EDPS Publishes Opinion on the European Health Data Space –
On 17th November, the EDPS published the ‘Preliminary Opinion 8/2020 on the European Health Data Space’. The Opinion comes as a response to the Commission’s proposal – in the Communication on ‘A European Strategy for Data’ – for the creation of a European Health Data Space. In this regard, the EDPS highlights the importance of the intentions behind the Commission’s initiative whilst highlighting the need for any such space to be legislated for, and designed, in line with data protection principles. In this regard, the EDPS highlights a series of considerations the Commission should take into account when creating such a space, including: the legal basis on which data processing in the space should rely – in relation to which the EDPS expresses particular support for public interest bases as opposed to consent; the legitimacy of further processing of data in the space; the need for clarity in relation to the designation of the actors involved in data processing within the space; the need for clarity in relation to the forms of data which will be processed within the space – in relation to which the EDPS proposes that only anonymous and aggregate data should, as a rule, be processed; the need for a ‘comprehensive security infrastructure’ and the utility of DPIAs in assessing relevant risks to be addressed; the need for consideration of the ethical use of data within the space – including the need, where relevant, for the involvement of ethics committees; the need for a strong data governance approach; the need for data to be processed by entities respecting European values and in line with considerations of ‘digital sovereignty; and the need to achieve the implementation of data portability principles in the space. The positions taken in the Preliminary Opinion remain general. However, it seems likely more specific and detailed positions will be offered as more details on the shape and legal framework of the space emerge.