On 2nd September, Advocate General Bobek delivered his Opinion in the SIA ‘SS’ v Valsts ieņēmumu dienests case. It concerns the applicability of the GDPR and the compatibility with its provisions in a situation where a Member State Tax Authority requests general and systematic access, not limited in time, to the personal data of advertisers who publish their advertisements with a certain advertisement services provider online. AG Bobek framed the questions as concerning the relationship between two controllers and more specifically about the legal basis on which the service provider could rely when disclosing the requested personal data to the tax authority. He concluded that Article 6 (1) (c) and Article 6 (3) GDPR allow requests which are unlimited in time, ‘as long as there is a clear legal basis in national law for such a type of data transfer and the data requested are suitable and necessary for the tax authority to complete its official tasks’ and individuals are informed of the transfer (foreseeability), unless a restriction applies pursuant to Article 23 GDPR. At the end, the AG posed the challenging question whether the service provider, when raising the GDPR questions in casu, was motivated by a genuine concern about the personal data protection of their clients or rather instrumentalized the GDPR in order to pursue its business objectives, e.g. not to see advertisers switching to other platforms where their data might not be accessed by the tax authorities. We note that this is a very interesting observation, which alludes that private companies might be committed to data protection only in those cases in which it brings added value to their business, which could leave a gap in personal data protection. In addition, we note that AG Bobek seems to be rather lenient in his examination of the requirements about the legal basis of the data transfers at hand, barely criticising the potential for abuse of such fishing expeditions.
On 7th September, the ECtHR rendered a judgment concerning the compatibility of accessing and disclosing personal messages from a dating website by one’s spouse in a divorce and parental responsibility dispute. As to the facts of the case, the applicant and her ex-husband decided to separate and were in dispute about the parental custody over their children. When initiating the divorce proceedings, the ex-husband presented to the Portuguese courts the private messages which his wife had been exchanging with other men on a dating website during their marriage. The applicant filed a criminal complaint against her ex-husband, expecting that he would be punished for accessing and disclosing the contested messages. However, the public prosecutor decided to discontinue the proceedings. The applicant filed a complaint under Article 8 ECHR with the ECtHR because the Portuguese courts had not imposed criminal sanctions on her husband. The ECtHR examined the case from the point of view of the positive obligations of the State, i.e. whether the national courts had struck a fair balance between the competing interests, since the case at hand was a dispute between private individuals. The ECtHR did not find a violation of Article 8 ECHR for the following three reasons. First, the Court noted that the Portuguese legal system offered adequate protection in her case. This is because accessing and disclosing private communication without the concerned person’s consent constitutes a criminal offence. Indeed, at the applicant’s request a criminal investigation was launched and the applicant was given the right to become an ‘assistente’ and to thus participate in the proceedings. In addition, she had waived her right to submit a compensation claim for the alleged breach and only sought the establishment of a criminal liability, but the Court noted that it could rule on the criminal liability of the ex-husband. Second, as concerns accessing and disclosing the disputed messages, the Court examined the Portuguese courts’ conclusion that the applicant had voluntarily given access to her account on the dating platform to her ex-husband and that the messages became part of the couple’s private life. Here the ECtHR ‘considered that the national authorities’ reasoning with regard to joint access to the spouses’ correspondence had been open to debate, especially since there were reasons in the present case to believe that the applicant’s consent to her husband’s access had been given in a situation of conflict.’ Nevertheless, the Court decided that the conclusion was not arbitrary enough to call for a reversal. Third, the Court noted that the disclosure had not produced a disproportionate impact on the applicant’s private life, because the Portuguese courts did not examine the messages in the civil proceedings and these messages were not made accessible to the public. We note that the case raises an interesting question about the legality requirements for consent about data processing in private relationships, i.e. not in relation to the government or private companies, especially in cases where the household exception under the GDPR might be deemed to apply. This is a much less discussed and difficult issue which deserves more attention in our opinion.
– EDPB Publishes WhatsApp Binding Decision and the Decision of the Irish DPA ––
On 2nd September, the EDPB published on its website two important decisions: (i) the EDPB binding decision concerning the proceedings against WhatsApp’s transparency policy in Ireland under the dispute resolution mechanism between the Irish DPC (lead authority) and the concerned authorities and (ii) the final decision which the Irish DPC adopted by taking into account the EDPB decision. As the EDPB points out on its website, the binding EDPB decision influenced the final decision on three major points. First, the EDPB identified further transparency breaches than those already identified by the Irish DPC under Articles 12-14 GDPR and that in view of the gravity of the infringements, these should also be qualified as an infringement of the transparency principle in Article 5 (1) (a) GDPR. Second, following the EDPB intervention, the imposed fine was increased to € 225 million, inter alia because also the turnover of Facebook Inc, the parent company, was taken into account when calculating the fine itself, not only when calculating its maximum amount. In addition, the EDPB established that Article 83 (3) GDPR is to be interpreted as meaning that ‘(w)hen faced with multiple infringements for the same or linked processing operations, all the infringements should be taken into consideration when calculating the amount of the fine.’ Third, the period which is now given to WhatsApp to comply with the transparency requirements under the GDPR is three months, as compared to the initial six months suggested by the Irish DPC. We observe that both decisions, as published, are very detailed and long, and certainly provide a rich source of information about the decision-making process leading up to the decision.
– EDPB Plenary 14th September–
The EDPB held a plenary on the 14th of September. The agenda is available on the EDPB website under the link below. Included in the agenda are the following points of discussion, amongst others:
- ‘Consistency mechanism and Guidelines…Guidelines on the interplay between Art. 3 and Chapter V – discussion’
- ‘Current Focus of the EDPB Members…Statement on Digital and Data Strategy – request for mandate [and] Expert exchange on Mobile Apps – request for mandate’
– ICO Fines Increase Significantly in 2020/2021–
According to an analysis conducted by the law firm RPC, and reported by infosecurity magazine, fines issued by the ICO have increased massively in financial year 2020/2021. In this period, the ICO have issued fines of 42 million GBP, which represents a percentage increase of 1580% compared to the previous year. Reports suggest that the sum total of fines over the period is mostly comprised of two large fines: one relating to British Airways, the other relating to Marriott International. The information on the ICO’s increased fines is interesting for several reasons. Two might be highlighted: i) information on scale, fluctuation, and distributions of data protection fines is vital to understand how data protection laws are being enforced and what differences between modes of enforcement might be; and ii) information on the ICO’s approach to fines in this period is reflective of the activity and approach of the UK’s DPA in the period following the UK’s departure from the EU – a period of uncertainty in the relationship between data protection in the UK and the EU. We would highlight, however, that, whilst such information on fines is welcome, there is much more work to do regarding sanctions and data protection. Numerous questions remain open, such as how, and to what degree, fines actually impact data controllers’ activities.
– CNIL Map of Data Protection Around the World –
The CNIL – France’s DPA – has published a map of the world which allows users to view information on the standard of data protection in each country. The map includes information as to the degree to data protection provided in each country, information as to the means by which personal data might be legitimately transferred from EU countries to each country, and information – where relevant – as to the DPA in each country. The information remains on a general level and will, therefore, be unlikely to be of assistance to those who wish to establish a detailed picture of the situation in a specific third country or as to how to legitimately transfer personal data from the EU to a specific third country. Nevertheless, the map is a hugely valuable tool and a most welcome addition to the online data protection toolset. The map provides an intuitive experience which allows a user to: i) visualise, at a single glance, the state of data protection, and the proliferation of data protection laws, all over the world; ii) gain an instant – if superficial – appreciation for the standard of data protection in specific countries; and iii) quickly and easily identify contact information for DPAs all over the world. We would imagine that all with an interest in international data protection will find some use and enjoyment in the tool.