Data Protection Insider, Issue 27

– ECtHR Rules on Data Processing and Religion –

On 25th June, the ECtHR ruled in the case of Stavropoulos and others v. Greece. The facts of the case were as follows: the applicants registered the birth of their child at a registry office in Greece. The registry office noted, alongside the name of their child, the word ‘naming’. The term ‘naming’ reflected the wording of the only official Greek law dealing with the registration procedure. In practice, however, registry offices in Greece had also been using christening as an alternative form of registration procedure and thus tended only to write ‘naming’ alongside children who had not been christened. The applicants pleaded in front of the Greek courts that the note ‘naming’ revealed the fact that their child had not been christened. The national Courts deemed the application inadmissible as the note simply repeated the wording of national law. The applicants complained to the ECtHR, under Article 9 – freedom of thought, conscience, and religion – and Article 8, that the note ‘naming’ revealed the fact that their child had not been christened and that this constituted an interference with their right not to be obliged to manifest their beliefs. The ECtHR found in favour of the plaintiffs. The ECtHR recognised the existence of an infringement. In the context, the ECtHR accepted that the note ‘naming’ served to highlight the fact the child had not been christened. The ECtHR further recognised: ‘Such information appearing in a public document issued by the State constitutes an interference with the right…not to be obliged to manifest…beliefs [and] given the frequent use of the birth certificate…implying one’s religious beliefs [therein] exposes the bearers to the risk of discriminatory situations in their relations with the administrative authorities.’ Given that the only law outlining the registration procedure made no mention of christening as a possible mode of registration, the ECtHR found the infringement was not prescribed by law. The outcome of the case is substantially unsurprising. The case does, however, highlight the relationship between Article 9 and data processing. This relationship has hitherto received little consideration in data protection discussions.

– Commission Communication on Two Years of Application of the GDPR –

On 26th of June, the Commission released the Communication ‘Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation’. The report is the first in a series, and considers, in particular, ‘the application and functioning of the rules on the transfer of personal data to third countries and international organisations and of the rules on cooperation and consistency’. The report was compiled by the Commission after considering feedback from several parties – including the EDPB, national DPAs, the Multistakeholder Expert Group on the GDPR and external stakeholders. The report is generally positive about the application and impact of the GDPR. Nevertheless, several areas for improvement are also identified. The Commission highlight, for example, the following areas as needing work: the lack of a common data protection culture amongst European DPAs; the need for further progress and development in procedures for dealing with cross-border complaints within the EU; the ongoing resourcing problems faced by certain national DPAs; the existence of divergent approaches in Member State implementations of the GDPR; the lack of realisation of the potential in certain data subject rights – in particular the right to portability; and the need for further clarity in the applicability of the GDPR to new technologies. The issues identified will be familiar to those following data protection discussions over the last few years. Unfortunately, the report lacks base-line reference standards against which the Commission has identified ‘problems’ as well as detailed empirical data.

 – EDPB Publishes Register of One-Stop-Shop Decisions –

On 25th of June, the EDPB published a register of decisions, taken by national DPAs, under the One-Stop-Shop cooperation procedure. The register includes information on all 110 decisions taken by lead supervisory authorities under the procedure up until early June 2020. The register is searchable by several filters including: by the DPAs involved; by the GDPR Articles and legal provisions involved; by keywords; and by the eventual form of decision taken. Importantly, the register also contains links – where available – to the original cases as well as summaries of the cases, in English, prepared by the EDPB secretariat. The register is most welcome in providing a user-friendly overview of the types of activity taking place under the One-Stop-Shop procedure. A brief first look through the register reveals some unexpected findings. For example, a search for cases dealing with the conditions of consent, under Article 7 of the GDPR, turns up only two results. Further analysis however, would be welcome to properly parse the information contained in the register – for example, to identify the types of issues which emerge as most relevant in One-Stop-Shop procedures, and to identify patterns of DPA cooperation and behaviour.

 – EDPS Presents New Strategy –

The EDPS has released its 2020-2024 Strategy, entitled ‘Shaping a Safer Digital Future: a new Strategy for a new decade.’ The Strategy pays special attention to the respect for the rule of law and fundamental rights in a digitalized world and warns that safeguards against abusing the achievements of technological progress by authoritarian governments are much needed. To that end, the strategy is built on three pillars: (1) Foresight, (2) Action and (3) Solidarity. In terms of foresight, the EDPS strives to be a centre for excellence, contributing to a smart EU administration, and aims to identify trends in data protection and the broader technological, legal and social context. In this regard, the EDPS will pay particular attention to the challenges posed by developments in the Area of Freedom, Security and Justice (AFSJ). In terms of action, the EDPS will focus on the necessity of embedding privacy and data protection into new technologies and policies. The Supervisor emphasizes the necessity for coherence between Member States – especially between DPAs – to ensure consistent application and enforcement of the GDPR and the Directive on Data Protection in the Law Enforcement Sector. Finally, in terms of solidarity, the EDPS underlines the importance of upholding the rule of law and democracy to ensure justice. In this respect, the Supervisor will focus on independent supervision, coherence in the police and judicial field, and on upholding data protection and privacy as non-tradable values. The Supervisor also advocates a green approach to reducing the dangerous waste produced by energy-intense data processing technologies.

– Facebook’s Data Sharing Falls Foul of Competition Law –

On 23rd June, the German Federal Supreme Court upheld a German Federal Antitrust Agency order, pursuant to which Facebook should immediately stop sharing personal data across its platforms – including Facebook, Instagram and WhatsApp. The Supreme Court based its decision on competition law. It argued that Facebook has abused its dominant position on the German market for social networks. This is because the contested data sharing allows Facebook to create more sophisticated user profiles and charge advertisers higher fees for these profiles than would otherwise be possible. This is achieved with the help of abusive Terms and Conditions, which are illegal under competition law, because they create a lock-in effect – Facebook users have no opportunity to oppose the sharing of their personal data as there are no comparable services on the market. In addition, the Court argued that Facebook’s data sharing practices strengthen its position vis-a-vis advertisers as the amount of data which Facebook possesses gives it an unfair competitive advantage over other services which wish to attract advertisers. Facebook may now appeal the decision. However, Facebook may not appeal the current temporary ban, which takes immediate effect. What is special about this case is that questions concerning personal data processing were examined against the background of competition law, and not the GDPR. In the first instance, the ruling highlights that abusive data processing practices are potentially problematic both from a data protection law and from a competition law perspective. In turn, the ruling shows that enforcement of problematic data processing practices via competition law could solve certain competence and jurisdictional problems of data protection enforcement. Pursuant to the GDPR, only the EU Member State where an undertaking has its main establishment – Ireland in the case of Facebook – is competent to enforce the GDPR in relation to the companies established in that State.

– Huawei, SCCs and Chinese Surveillance Scrutinised in Germany –

A former manager at Huawei in Düsseldorf, Germany, has filed a case to access the data processed in relation to him by Huawei for the period of his employment – from 2010 to 2018. The employee was forced out of his job in 2018 and decided to challenge his dismissal in front of the labour courts. In the framework of this challenge, he requested access to his data. Since Huawei did not respond to his request within the deadlines prescribed under the GDPR, the court fined Huawei €5000 and ordered it to disclose the data. The case is ongoing. During court proceedings, Huawei claimed it has deleted most of the data in question. The plaintiff, however, doubts this claim and believes the data may have landed in the hands of the Chinese authorities. His belief is based on the fact that Chinese law permits the Chinese state to request companies to grant it access to the data they hold. In the context of the case, the issue of the legitimacy of Huawei’s data transfers to China based on SCCs, considering extensive Chinese state surveillance, has emerged. The case is thus interesting as the first, to our knowledge, which engages with the legitimacy of international transfers to China considering the state’s surveillance apparatus. Hitherto, discussions on issues regarding international transfers and state surveillance have focused overwhelmingly on the US. It will be particularly interesting to watch developments in this case following the CJEU’s decision – expected on 16th July 2020 – in the Schrems II case concerning data protection issues in the framework of transfers on the basis of SCCs to the US.



DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply