- Covert Surveillance at Work Deemed Legal by ECtHR -

On 17th October 2019 the ECtHR Grand Chamber ruled, in López Ribalda and Others v. Spain, that the covert surveillance of supermarket cashiers in casu does not violate Article 8 ECHR. As a result of the video surveillance, the concerned employees, caught stealing products from the supermarkets, had been dismissed. In assessing whether Spain has fulfilled its positive obligations, the ECtHR argued that the domestic law in Spain offered adequate safeguards concerning surveillance at the workplace. Further, it noted that the Spanish courts had carefully weighed the interests of the employer and the employees even if the employer had not notified the employees of the surveillance as required by law. Thus, Spain had not overstepped its margin of appreciation. However, it is to be noted that the decision was not taken unanimously and three judges issued a joint dissenting opinion. They argued that the Spanish courts and the Grand Chamber failed to strike a “fair balance” between the interests of the employees and the employer. Further, they criticized the lack of legislative clarity and certainty as concerns video surveillance in Spain. Taking into account the powers of new technologies, they highlighted their fear that such a judgement could open the door to arbitrary covert surveillance in breach of Article 8 ECHR. The internal disagreement at the ECtHR demonstrates the difficulty of setting out a clear framework on regulating (covert) video surveillance with adequate safeguards.

https://hudoc.echr.coe.int/eng#%7B%22itemid%22:%5B%22001-197098%22%5D%7D

- ECtHR Rules on Public Lustration Database -

Two weeks ago, in the case of Polyakh and Others, the ECtHR ruled on a case concerning lustration legislation in the Ukraine. The basic facts of the case are as follows: following the change in government in the Ukraine in 2014, the new government introduced sweeping lustration legislation – the Government Cleansing Act – aimed at civil servants, regardless of position and activity, who had served at least one year under the 2010-2014 Yanukovych regime, as well as civil servants who had served under the pre-1991 Communist regime. The plaintiffs, all civil servants dismissed under the legislation, argued the legislation constituted an infringement of their Article 8 privacy rights. In the case, the Court found an infringement and considered that such broad lustration legislation was neither supported by a clear legitimate aim nor was it necessary in a democratic society. Whilst the core of the case concerned the limits of legitimate lustration legislation, one aspect of the case has relevance for data protection discussions. The problematic legislation required the entry of information on dismissed civil servants into a publicly accessible database. Adopting a consequence-based approach to the assessment of privacy infringement, the Court found the existence of such a public database played a role in seriously impacting ‘applicants’ capacity to establish and develop relationships with others and their social and professional reputation and affected them to a very significant degree.’ As a consequence, the Court highlights that the existence and scope of a database is materially consequential and thus significant in determining the existence and extent of an Article 8 infringement.

https://hudoc.echr.coe.int/eng#%7B%22article%22:%5B%228%22%5D,%22documentcollectionid2%22:%5B%22GRANDCHAMBER%22,%22CHAMBER%22%5D,%22itemid%22:%5B%22001-196607%22%5D%7D

- Third Annual Review of the EU-U.S. Privacy Shield – An Indication of Success? -

On 23rd October 2019 the Commission released the results of the third annual review of the EU-U.S. Privacy Shield. The review concluded that the US continues to offer an adequate level of protection to the personal data transferred from the EU to the U.S. under the Privacy Shield. It noted the progress made since the second annual review, e.g. the appointment of the Privacy Shield Ombudsman. It also noted that that the redress, enforcement and oversight mechanisms are functioning well. However, the review still identified several shortcomings. These relate, on the one hand, to the certification process – e.g. the need to shorten re-certification periods – and substantive provisions – e.g. to need for further guidelines for compliance with the provisions of the Shield as well as with the need for more oversight of the substantive provisions of the Privacy Shield. It is to be noted, however, that the Privacy Shield has been criticized by civil society, since its inception, for not rectifying the shortcomings of its predecessor – the Safe Harbour Agreement – which had previously been struck down by the CJEU. It is thus not-surprising that a civil society led challenge to the Privacy Shield is pending in front of the CJEU. Despite the positive conclusions of the Commission review, this challenge will likely be the real litmus-test for the legitimacy and future of Privacy Shield.

https://europa.eu/rapid/press-release_IP-19-6134_en.htm

- Resolutions Adopted following the IDPPCC -

The annual International Data Protection and Privacy Commissioners’ Conference was hosted in Tirana, Albania, last week. One of the outcomes of the conference was a set of Resolutions supported by represented organisations. These Resolutions include:

- Resolution to address the role of human error in personal data breaches
- Resolution on social media and violent extremist content online
- Resolution on the promotion of new and long-term practical instruments and continued legal efforts for effective cooperation in cross-border enforcement
- International resolution on privacy as a fundamental human right and precondition for exercising other fundamental rights
- Resolution on the conference’s strategic direction (2019-21)

The topics chosen as the subjects of Resolutions make an interesting subject of study as does the substance of the Resolutions themselves. Interestingly, the conference is perhaps the closest forum currently available to a regular official meeting of Data Protection Authorities from around the world. Against this background, it is interesting to consider what legal significance such Resolutions might come to have. On the one hand, they clearly cannot be equated with traditional jurisprudential sources – legislative texts and case-law etc.. On the other hand, interpretation of European data protection law has long regarded other types of sources as having persuasive significance – guidelines, opinions etc.

https://edps.europa.eu/data-protection/our-work/publications/international-conferences/tirana_en

- German Data Protection Authorities Adopt Approach to Calculating Fines -

The German Datenschutzkonferenz – a body made up of all German Data Protection Authorities – has adopted a novel approach for calculating the size of fines for data protection violations under the GDPR. The approach can be broken down into five steps: (i) the classification of the entity based on its turnover in the last year; (ii) the allocation to that entity of an average annual turnover figure – the figure represents the average turnover of all entities falling within the classification in step (i); (iii) calculation of the entity’s ‘daily rate’ – the daily rate represents the annual average turnover divided by 360; (iv) the multiplication of the ‘daily rate’ by a standardized calculation of the gravity of the infringement – the calculation includes a consideration of whether the infringement is technical or material in nature as well as, on a four level scale, the severity of the infringement; (v) the modification of the fine taking into account the nature of the GDPR infringement and the impact of the infringement on the data subject – with particular reference to Article 83 (2). The approach provides a welcome granularity to the procedure of fines calculation. It remains to be seen, however, how the approach will be received by other European Data Protection Authorities. It also remains to be seen whether the use of the approach will have unintended consequences and if so, which types of entity will be affected by those consequences.

https://www.dataprotectionreport.com/2019/10/german-data-protection-authorities-publishes-a-new-gdpr-model-for-fines/

- Germany Issues Digital Ethics Guidelines -

The German Data Ethics Commission, set up by the German Federal Government, has issued an Opinion on ethical benchmarks and guidelines concerning digital technologies. The Ethics Commission picked two focal points: data governance and algorithmic systems. Their recommendations seek to foster technological development while respecting European values, including human dignity, democracy, justice and solidarity, sustainability, security, privacy and self-determination. Based on these guiding principles, the Ethics Commission issued 75 opinions/recommendations. These range from recommendations on strengthening the rights of individuals – e.g. on the need for enhanced transparency – as well as the interests of companies – e.g. on their right to self-determination by exploiting the personal and non-personal data they possess in ethically defensible ways. Admittedly, the Data Ethics Commission lacks legislative power. However, its recommendations may yet be influential. Observers comment on the confluence between the agenda of European Commission President Elect Ursula von der Leyen and the approach of the Ethics Commission, especially as regarded calls for digital sovereignty, as well as the likely influence of the German government in setting the EU legislative agenda. Could the German Guidelines become the blueprint for future Commission legislative proposals?

https://www.bmjv.de/SharedDocs/Downloads/DE/Themen/Fokusthemen/Gutachten_DEK_EN.pdf

Recommend this newsletter. If you were forwarded this email, subscribe here https://dev.lexxion.eu/en/newsletter/

Lexxion Verlagsgesellschaft mbH
Güntzelstr. 63
10717 Berlin
Deutschland

+49-(0)30-814506-0

https://dev.lexxion.eu

We sincerely apologize if you find this email an intrusion of your privacy or a source of inconvenience to you. If you would like to unsubscribe from the newsletter service, please click here:

Terms https://dev.lexxion.eu/en/terms-conditions/ | Privacy https://dev.lexxion.eu/en/data-protection/