Data Protection Insider, Issue 45

– Liebscher v Austria: Publication of Divorce Settlement as a Breach of the Right to Privacy

On 6th April the ECtHR decided in the case of Liebscher v Austria that Austria had not fulfilled its positive obligations to protect the personal data of the applicant under Article 8 ECHR. As to the facts of the case, the applicant had divorced his wife and wanted to transfer his share of the house to her. In order to register this transfer, the local land register court requested, per law, that the full divorce settlement be presented in order to be published in the land register. The applicant objected by arguing that the full divorce settlement contains much more personal data than necessary for the purposes of the public land register. It included even data concerning their minor children and his salary. The local courts rejected his suggestion that only the relevant excerpts be made accessible to the public by arguing that the national laws required the publication of the full divorce settlement. When he filed an Article 8 ECHR complaint with the domestic courts, which included references to the Austrian data protection legislation, the domestic courts merely noted that the interference with his data protection rights had a legal basis in national law. They also rejected his request for a preliminary ruling reference to the CJEU that Article 52 (1) CFREU has been breached. Taking all this into account, the ECtHR ruled that there has been a violation of Article 8 ECHR on account of the fact that the domestic courts had failed to balance the competing interests into account and thus to protect his personal data. The Court reasoned that it ‘… therefore cannot but conclude that the domestic courts never actually examined the core of the applicant’s claim because of the lack of a comprehensive examination of the question whether the legal obligation to produce the full original divorce settlement – which could serve as basis for the entry in the land register and subsequently be published in the document archive – was compatible with the effective enjoyment, by the applicant, of his right to protection of his personal data. The domestic courts therefore have failed to comply with their procedural obligation under Article 8 of the Convention to conduct a comprehensive assessment of a matter affecting the applicant’s privacy rights …’.We note that this is one of the ECtHR cases which clearly has at its core a purely data protection dispute. It is also interesting to note that it seems like the Austrian law on data protection was automatically ‘trumped’ by pre-existing laws. It remains to be seen whether this will continue being the case in the future with the growing of importance of the GDPR.


EDPB Holds 48th Plenary Session

On 13th April the EDPB held its 48th Plenary Session. During the session, the following documents were adopted:

  • Two Opinions on the Draft UK Adequacy Decisions, one under the GDPR and one – under the LED;
  • ‘Guidelines on the application of Article 65(1)(a) GDPR’;
  • ‘Guidelines on the targeting of social media users’;
  • ‘Statement on international agreements including transfers’.

The documents are already published, with the exception of the Guidelines on targeting social media users.

EDPB Opinions on UK Adequacy Decisions

The EDPB has published two Opinions on the Commission’s draft UK Adequacy Decisions. The first EDPB Opinion concerns the Commission’s draft Decision on UK Adequacy and the GDPR – Opinion 14/2021 regarding the European Commission Draft Implementing Decision pursuant to Regulation (EU) 2016/679 on the adequate protection of personal data in the United Kingdom. In the Opinion, the EDPS highlight the significant overlaps and confluences which exist between the UK’s data protection framework and that of the EU. However, the EDPB also highlight several challenges. These include, amongst others, for example: the potential for divergence pursuant to future changes in the UK approach to data protection, and the scope and use of the ‘immigration exemption’ in UK law. The second EDPB Opinion concerns the Commission’s draft Decision on UK Adequacy and the Law Enforcement Directive – Opinion 15/2021 regarding the European Commission Draft Implementing Decision pursuant to Directive (EU) 2016/680 on the adequate protection of personal data in the United Kingdom. Again, the EDPB observe the significant overlap between the UK data protection framework and that of the EU. Again, however, the EDPB observe challenges. These include, for example, amongst others: potential future UK Adequacy Decisions and how these relate to legitimate onward transfers under EU law; and the interplay between UK data protection law and the UK’s international commitments relevant to personal data processing – for example the US-UK CLOUD Act Agreement.


The Leaked Proposal on Regulating AI: The Main Novelties

TLast week news sources started circulating the leaked proposal on Regulating AI, which is supposed to be formally published these days. While the leaked document seems to be work in progress, its substance is quite indicative of the intention of the legislator. In our short story, we note the following five points. First, with regards to the scope of the proposal, it focuses on high risk AI applications. It seeks to mitigate the risks posed by these, but also to encourage their uptake in the internal market. Except for biometric identification technologies, the proposal does not list the AI applications it considers to pose a high risk. It does provide the criteria for these applications in an Annex, though. These could include law enforcement technologies, e.g. crime prevention ones, and non-law enforcement ones, such as creditworthiness assessment tools. Second, the Commission does not intend to ban such technologies. In its proposal it has taken the approach of mitigating the risk by subjecting these technologies both to pre-deployment assessment of conformity with the requirements of the proposed Regulation, as well as assessments after such technologies have reached the market or after they have been modified. The conformity assessment requirements are provided for in the proposal. They range from high level fundamental rights compliance requirements to more precise requirements, e.g. transparency and documentation about how the given technology works and what impacts it has. Third, the proposal seeks to boost innovation by creating sandboxes for developing and testing AI technologies. Fourth, the proposed Regulation takes also account of the imported AI technologies from outside the EU and the need for these to comply with the conformity requirements in the proposal. Fifth, the proposal sets up supervisory and enforcement mechanisms. These seem to be envisaged to be set up and work in parallel with the data protection supervisory authorities set up under the GDPR and the LED. One of their tasks would be to ‘approve’ the high-risk AI applications, which would be then registered by the Commission. In addition, a European Artificial Intelligence Board which ensures the coordination between the Member States on regulating AI would be set up. We note that we are looking forward to the formal proposal and the more in-depth discussion on it.


– DPA of Hamburg Starts Urgency Procedure against Facebook 

The DPA of Hamburg – the Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI) – has opened an urgency procedure against Facebook Ireland Ltd. The procedure concerns WhatsApp’s recently updated user conditions and data protection policy. At the start of the year, WhatsApp users were requested to agree to the new conditions by mid-May or risk being restricted in their use of the service. The conditions themselves contained several paragraphs in which Facebook Ireland claimed rights to use WhatsApp user data across its various services. The DPA is concerned that the extent of use of WhatsApp – over sixty million users in Germany – means that careful attention should be paid to ensure that no illegitimate exploitation of power occurs. The DPA considers that, in this case, there are grounds to believe that the new conditions may not be based on truly freely given and informed user consent. The reported goal of the procedure is an order that no more personal data be collected from WhatsApp users for use for Facebook ‘s own purposes. The DPA is responsible for Facebook in Germany, as the company’s German offices are located in Hamburg. The DPA perceives the existence of unusual circumstances, which permit the DPA to open proceedings, under Article 66 GDPR, against Facebook in Ireland – although any measures are then subsequently limited to three months duration pending extension or expansion by the EDPB. The DPA aims to come to a decision in the urgency procedure before the 15th of May.

‘Mass Action’ against Facebook 

As TechCrunch reports, the NGO Digital Rights Ireland has announced it is instigating a ‘mass action’ against the social media giant Facebook aiming at securing monetary compensation. The ‘mass action’ concerns a leak of Facebook user data which initially happened in 2019, but which only recently came to light as the personal data of over five hundred million Facebook users was discovered as freely available for download online. The leak involved various types of personal data, including, for example, mobile phone numbers and relationship status. The NGO suggests that EU- or EEA-based Facebook users should check to see if their personal data was impacted by the leak and is requesting those users who have been impacted to join the case. The ‘mass action’ initiative will run concurrently with an investigation by the Irish Data Protection Commission. Whilst the initiative is interesting and its development is worth keeping an eye on, it should be recalled that the initiative is still in its formative stages and that the eventual outcome remains unclear.


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply