Data Protection Insider, Issue 46

– EDPB Releases Guidelines on Dispute Resolution by the Board

The EDPB has published guidelines ‘on the application of Article 65(1)(a) GDPR’ – the Article dealing with ‘Dispute resolution by the Board’. The Board locate the elaboration of substance in the document within the frame provided by the CFREU – in particular the right to good administration under Article 41 – the GDPR, and the EDPB Rules of Procedure. In terms of substance, the Guidelines deal with: i) ‘[the] Main stages of the procedure’; ‘[the] Competence of the EDPB’ – including a discussion on the forms of issues on which the EDPB might issue a decision; iii) ‘The Right to be heard’ – including an interesting discussion on the right of impacted persons to be heard in a procedure ; iv) ‘Access to the file’; v) ‘The duty to give reasons’ – including a discussion of the need for the EDPB to provide the reasoning underlying its decision; and vi) ‘Judicial remedies’ – including discussions of the possibilities for various parties to seek judicial review of a decision. This is a set of Guidelines which deserves attention. The EDPB and the national DPAs are integral cogs in the development of EU data protection law. Accordingly, the rules of process by which such development occurs are themselves important for the procedural and substantive content of data protection law.


EDPB Releases Guidelines on Targeting of Social Media Users –

On 13th April the EDPB released the second version of their guidelines on targeting of social media users – after the public consultation of the first version of these guidelines. The purpose of the guidelines is to ‘offer guidance concerning the targeting of social media users, in particular as regards the responsibilities of targeters and social media providers.’ The guidelines focus on the following four themes in relation to observed data, inferred data and data provided directly by the data subject: i) the potential risks for the rights and freedoms of social media users; ii) the ‘main actors’ in the social media targeting environment and their respective roles and responsibilities under the GDPR; iii) the application of a selected number of GDPR requirements, namely lawfulness, transparency including the right of access, carrying out a DPIA, and processing special categories of personal data; and iv) arrangements between social media providers and targeters which regulate (the distribution of) their joint controllership responsibilities under Article 26 GDPR. We note that, in view of the complex network of entities which process personal data in the framework of social media, the Guidelines offer useful guidance on the distribution of responsibilities and basic data protection compliance.


EDPB Issues Statement on International Data Transfers

The EDPB has issued a statement on international data transfers concerning the ‘exchange of personal data between public authorities under existing international agreements in different areas’. The EDPB has issued the statement in response to questions the Board and national DPAs have been receiving on the issue. In the statement, the Board highlights the applicability of Article 96 GDPR and Article 61 LED, and observes in this regard that ‘all

international agreements involving the transfer of personal data to third countries or international organisations which were concluded by the EU Member States prior to 24 May 2016 or 6 May 2016 respectively, and which comply with Union law as applicable prior to that date, shall remain in force until amended, replaced or revoked.’ The Board go on, however, to encourage: ‘Member States to assess and, where necessary, review their international agreements that involve international transfers of personal data…in order to determine whether, while pursuing the important public interests covered by the agreements, further alignment with current Union legislation and case law on data protection, as well as EDPB guidance might be needed.’ The statement itself is short and contains few surprises. The statement does raise the interesting question, however, of the degree to which Articles such as 96 GDPR and 61 LED permit agreements which diverge from developments in EU law, to simply remain in place


EDPS Welcomes the Proposed AI Regulation with Reservation

On 23rd April the EDPS issued a press release following the official publication of the EU proposal for a Regulation on AI – the first proposal of its kind in the world. He welcomed the horizontal approach and broad scope adopted by the Commission. He was also positive about the risk-based approach, namely the focus on high-risk AI applications.However, the EDPS was concerned that the proposal does not go as far as put a moratorium on the use of remote biometric identification systems – such as facial recognition systems – in public spaces. The EDPS commits to continuing to advocate for a strict approach to biometric identification systems, irrespective of the purposes for, and context in which, they are used – i.e. law enforcement, administrative or commercial. The EDPS is now working on an in-depth analysis of the proposal, which we expect to result in an Opinion. The focus of the analysis will be, in particular, on ‘setting precise boundaries for those tools and systems which may present risks for the fundamental rights to data protection and privacy.’ We are looking forward to the upcoming Opinion and the guidance provided in it to legislators.


AEPD and EDPS Release Paper on Anonymisation

The AEPD – the Spanish DPA – and the EDPS have released a paper titled: ‘10

Misunderstandings Related to Anonymisation’. The misunderstandings discussed are the following: i) ‘Pseudonymisation is the same as anonymisation’; ii) ‘Encryption is anonymisation’; iii) ‘Anonymisation of data is always possible’; iv) ‘Anonymisation is forever’; v) ‘Anonymisation always reduces the probability of re-identification of a dataset to zero’; vi) ‘Anonymisation is a binary concept that cannot be measured’; vii) ‘Anonymisation can be fully automated’; viii) ‘Anonymisation makes the data useless’; ix) ‘Following an anonymisation process that others used successfully will lead our organisation to equivalent results’; x) ‘There is no risk and no interest in finding out to whom this data refers to’. The paper is relatively short, as are the discussions within. In this regard, the paper is not likely to tell data protection experts anything they did not already know. Nor is the paper likely to throw new light on, or open up new directions in, the discussion of the concept of anonymity. Given the practical confusion the concept has, and continues to, cause, however, the paper should still be seen as welcome.


Derogations from e-Privacy to Fight Child Sexual Abuse Material Almost Agreed 

EURACTIV reported last week that the Parliament and the Council are close to agreeing on a proposal for a Regulation for fighting child sexual abuse online by way of a derogation from the e-Privacy Directive (which might become an e-Privacy Regulation). The proposed Regulation will allow online providers to monitor the content of online communications in order to identify sexual abuse material, which is a clear derogation from the principle of confidentiality of communications which sits at the core of e-Privacy. Such monitoring actions are supposed to be temporary. There are reportedly two main points of disagreement between the Council and the Parliament. The first one concerns accuracy. The Parliament is concerned that a lot of sex-related content which does not relate to child sexual abuse will be erroneously flagged as such, which will unjustifiably breach the confidentiality of adults. The second one concerns the proposed anti-grooming measures. The Parliament wants to see these approved ex-ante by data protection authorities, a measure which is likely to be watered down in the final agreement. For those who wish to have a closer look at the ongoing negotiations, the EURACTIV story contains a link to the comparative table with the positions of the law-makers and the latest compromise.


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply