– EDPB Adopts Four Documents –
On 18th and 19th January 2020 the EDPB had its 18th plenary session. As a result of the session, the EDPB adopted the following four documents:
- EDPB Contribution to the evaluation of the GDPR under Article 97
- Guidelines on Articles 46 (2) (a) and 46 (3) (b) for transfers of personal data between EEA and non-EEA public authorities and bodies
- Statement on privacy implications of mergers
- Letter to Hoda
The documents are already available on the EDPB website. The first document – the Contribution to the evaluation of the GDPR – is part of the broader discussion around the two-year review of the GDPR – as discussed below. The second document – guidelines on data transfers – is open for consultation until 6th April 2020. The third document expresses data protection concerns regarding the planned acquisition of Fitbit, Inc. by Google LLC and highlight the need for a risk assessment to be conducted by both parties. The fourth document concerns a notification that the Italian Supervisory Authority has withdrawn its request for opinion by the EDPB concerning Hoda.
– EDPB Position on the GDPR Two Year Review –
On 18th February 2020, the EDPB released its Opinion on the two-year evaluation of the GDPR. In summary, the EDPB state: ‘In conclusion, after only 20 months of GDPR application, the EDPB takes a positive view of the implementation of the GDPR and is of the opinion that it is premature to revise the legislative text at this point in time’. The review thus contains little substantive criticism of the GDPR itself. The review is, however, worth reading as it contains a treasure trove of information on DPA activities in relation to the interpretation and enforcement of the GDPR – particularly in relation to DPA collaboration. It should be noted, however, that the position of the EDPB – that no changes to the text are necessary – is not shared by other Opinions submitted in the review process. Certain of these highlight a range of practical and conceptual issues with the GDPR in need of specific amendment. One example is the extensive Opinion offered by the German Forum Privatheit project. This Opinion explicitly highlights several necessary changes to the text of the GDPR which would both clarify the law and improve the protection offered to individual rights. For example, the Opinion highlights the need to clarify the data minimisation principle to explicitly recognise the data avoidance principle – the principle that: ‘that the controller is obliged to select a specific purpose in such a way that as little personal data as possible is required for processing.’
– EDPS Offers Opinion on UK Partnership Negotiations –
On 24th February, the EDPS published an Opinion on the opening of negotiations for a new partnership with the UK. The Opinion is broken down into three substantive parts. The first part highlights the need to ensure an adequate level of protection for fundamental rights – in particular for the right to the protection of personal data – across all aspects of a future partnership. The third part highlights the need for rules concerning the international collaboration between regulators. The second, and most interesting, part concerns the conclusion of a future adequacy decision for the UK. On the one hand, the EDPS recognises the utility of an adequacy decision: ‘[the EDPS] underline[s] the importance of such assessment for the future cooperation between the EU and the UK, be it under the Regulation (EU) No 2016/679 (hereinafter ‘GDPR’) or the Directive (EU) No 2016/680 (hereinafter ‘Law Enforcement Directive’).’ On the other hand, however, the EDPS draws attention to the fact that an adequacy decision is contingent on the UK providing an adequate level of protection for personal data. In this regard, the EDPS ‘draws attention to the European Parliament’s Resolution adopted on 12 February 2020, which identifies a number of concerns as to the level of protection of personal data in the UK’. As discussed previously in this newsletter, the adequacy process is not a forgone conclusion. The process is subject to politics – who knows what EU-UK relations will look like after negotiations are finished. In turn, the substantive standard of protection offered under UK law – in particular in relation to security and surveillance – has long been a concern of privacy advocates.
– The Croatian Presidency: A New Try at e-Privacy –
The Croatian Presidency has been trying to overcome the deadlock in negotiations on the draft e-Privacy Regulation. In this regard, the Presidency has tabled amendments to provisions concerning two main topics in the draft proposal. The first topic concerns the legitimate grounds for processing of electronic communications data, content data, metadata and data concerning child sexual abuse (Article 6) – amendments to data storage and erasure principles (Article 7) have also been proposed to reflect the content of amendments to Article 6. The second topic concerns the protection of the end user’s terminal equipment information – e.g. when connecting to a Wifi network (Article 8). In terms of content, all proposed amendments seek to extend the range of legitimate grounds for processing of personal data. Particularly significant is the introduction of legitimate interest as a legal ground for the processing of metadata and terminal equipment information – where previously only consent could legitimate processing. The fact that these amendments expand the range of possibilities available to legitimate data processing constitutes a dilution of protection in comparison to the current e-Privacy framework. It looks likely, especially considering current discussions on AdTech, that these amendments will face heavy criticism and resistance.
– The Commission Issues European Strategies on AI and Data –
On 19th February 2020 the European Commission released two important strategies:
- On Artificial Intelligence – A European approach to excellence and trust; and
- A European strategy for data.
The strategy on AI outlines the European approach to AI in a global world. The strategy seeks to propose policy options to achieve two main objectives: to promote the uptake of AI; and to address the risks of AI. To promote the uptake of AI, the strategy seeks to reinforce Europe’s industrial and technical capacities to boost Europe’s significance in the field globally. To address the risks of AI – especially privacy, data protection, discrimination and product safety risks – the Commission is considering regulatory measures. The European strategy for data ‘outlines a strategy for policy measures and investments to enable the data economy for the coming five years’. The strategy seeks to make Europe a hub for data, which should also serve as a measure to boost Europe’s technical and industrial capacity for AI. The strategy for data focusses on four pillars: data access and use; investments and infrastructure; competences and skills; and creating common European data spaces in nine strategic sectors and domains – including industrial (manufacturing), Green Deal, mobility, health, financial, energy, agriculture, public administration and skills data space. The two strategies are open for public consultation – until 19th and 31st May 2020 respectively.
– Irish DPA Attention Changes Facebook Election Practices –
The Irish DPA has requested information from Facebook about its Election Reminder Feature. Specifically, the Irish DPA has requested information regarding which data are collected from users and how these data are used. In this regard, the DPA sought a set of remedial actions from Facebook prior to the Irish elections on 8th February. In response to DPA requests for information and for remedial action, Facebook decided to pause the deployment of the feature in relation to elections across Europe – although the duration of the pause remains unclear. The Election Reminder Feature aims to remind individuals to vote on election day and to help them find their polling station. Given the explicit connection of the feature to elections and voting – and therefore to core democratic processes – and the recognised power of platforms to reach and influence targeted groups of individuals, it is no surprise the feature has raised concerns. From a broader perspective, the case is interesting for at least two reasons. First, the case provides further proof that the issue of data protection and democracy remains high on DPA agendas. Second, the case shows that data protection regulatory action from within the EU is seen as important enough to shift the practises of platform giants. In this regard, it would be interesting to have further insight into Facebook’s internal logic in processing and responding to such DPA requests and investigations. A number of questions present themselves: how does Facebook understand DPA requests; where are the centres of power within the company in relation to EU data protection practises; and are these changing over time?