– Commission Publishes New SCCs –
On 4th June, the European Commission ‘adopted two sets of standard contractual clauses, one for use between controllers and processors and one for the transfer of personal data to third countries.’ In terms of law, the Commission asserts that the new SCCs take into account requirements under the GDPR as well as the CJEU’s elaborations on international transfers in Schrems II. In terms of practice, the Commission suggests that ‘these new tools will offer more legal predictability to European businesses and help, in particular, SMEs to ensure compliance with requirements for safe data transfers, while allowing data to move freely across borders, without legal barriers.’ The Commission highlights a set of innovative features in the new SCCs, including:
- ‘Update in line with the [GDPR];
- One single entry-point covering a broad range of transfer scenarios, instead of separate sets of clauses;
- More flexibility for complex processing chains, through a ‘modular approach’ and by offering the possibility for more than two parties to join and use the clauses;
- Practical toolbox to comply with the Schrems II judgment; i.e. an overview of the different steps companies have to take to comply with the Schrems II judgment as well as examples of possible ‘supplementary measures’, such as encryption, that companies may take if necessary’.
A transition period of 18 months is now in effect concerning international processing operations legitimated under the old SCCs. Whether the new SCCs can deliver on their promises remains to be seen. We would also note that reliance on the new SCCs alone cannot lift the general obligation that all transfers of personal data outside the EU must maintain an ‘essentially equivalent’ standard of protection to that available in the EU – as elaborated, for example, in Schrems II.
– Commission Adopts Digital ID Proposal–
On 3rd June, the Commission adopted a proposal concerning e-IDs which will build on the existing Member State schemes for digital IDs. Under the new scheme, the digital IDs, called ‘European Digital Identity Wallets’, will ‘allow (…) citizens to digitally identify themselves, store and manage identity data and official documents in electronic format. These may include a driving licence, medical prescriptions or education qualifications. With the wallet, citizens will be able to prove their identity where necessary to access services online, to share digital documents, or simply to prove a specific personal attribute, such as age, without revealing their identity or other personal details.’ The proposal is supposed bring the following four main amendments to the existing scheme. First, the European Digital Identity Wallets will now be available to every EU citizen and resident and will be accepted in all Member States. Second, all public and some private service providers in the EU will be obliged to accept the eIDs issued by all the Member States. Third, the new Digital Identity scheme may be used both online and offline. Fourth, the Commission is proposing interoperability standards to enable the cross-border usage of the scheme and is also working on establishing a high level of security of the personal data processed by the application. The scheme is supposed to remain voluntary, i.e. citizens and residents remain free to use it if they wish, but they will not be obliged to do so. The digital IDs will continue being issued by a Member State. According to the proposal, citizens will have full control over their data and the scheme is supposed to comply with the GDPR. However, we note that a careful examination of the proposal is needed in order to assess whether the proposal indeed ensures a high level of data protection.
– Commission Probing into Belgian DPA Independence–
On 9th June, the Commission sent a formal letter to the Belgian government concerning the independence of the Belgian DPA. The letter seems to be a response to several complaints submitted last year that members of the Commission are not independent from external influence. It is alleged that some members are not politically independent as they report to the Belgian government, or they are members of the Information Security Committee, or they participate in government projects on COVID-19 contact tracing solutions. If it is proven that indeed the Belgian DPA is not independent, this would be a breach of Article 52 GDPR. Already in March 2021 the Commission sent a letter to the Belgian government expressing concerns about the Belgian DPA’s independence. However, the reply did not alleviate the concerns and now the Belgian government has to reply within two months which measures it has taken in order to ensure the independence of the Belgian DPA. If it again does not alleviate the concerns, the Commission will send back a reasoned opinion. If the issue is eventually not resolved, then the dispute might end up at the CJEU.
– EDPB Releases Their Annual Report–
On 2nd June, the EDPB released its annual report, taking stock of their activities in 2020. From the executive summary it becomes evident that the EDPB contributed to data protection in the following ways:
- When participating in the GDPR evaluation, they noted the necessity for more resources for the SAs, for alignment of national procedure and that at the moment a revision of the GDPR is not necessary;
- They issued guidance on the processing of personal data in the framework of the COVID-19 pandemic and on international transfers following the Schrems II judgement in view of its implementation in practice;
- They adopted one dispute resolution decision concerning the Twitter fine issued by the Irish DPA;
- The EDPB issued ten guidelines, two recommendations and 32 Article 62 GDPR Opinion in total;
- They published a register concerning the one-stop-shop decisions taken by the national DPAs;
- The EDPB organised seven stakeholder consultations and a survey about their work;
- They adopted their Strategy for 2021 – 2023 and the working plan for 2021 – 2022 based on the Strategy.
– Amazon to be Hit with Largest GDPR Fine to Date?–
The Wall Street Journal reports that La Commission Nationale pour la Protection des Données (CNPD), Luxembourg’s DPA, has proposed that Amazon be fined 349 Million Euros for breaches of the GDPR. The CNPD is the lead DPA for the company, whose European headquarters are located in Luxembourg. A fine of this size would amount to 2% of the company’s net income last year or 0.1% of its sales last year – recall that the GDPR permits DPAs, under Article 83(5), to levy fines for certain infringements at up to ‘4 % of the total worldwide annual turnover of the preceding financial year’. Specific details of the alleged violations behind the fine remain unclear – although the fine does not, supposedly, relate to Amazon’s cloud computing business. The proposal appears in a draft decision concerning Amazon which has been circulated among the other EU DPAs. The draft decision still needs to be agreed to by the other DPAs. However, there are already, allegedly, certain objections which have been put forward to the decision. Should the fine eventually be handed down in its current form, it will be, by some distance, the largest fine issued under the GDPR. The size, form, regularity and location of GDPR fines are central to the impact the law has on shaping personal data processing practices. It will be interesting to see how companies and markets react to the release of this news.
– CNIL Publishes Recommendations on Children’s Privacy Online –
On June 9th, La Commission Nationale de L’informatique et des Libertés (CNIL), France’s DPA, published a set of eight recommendations intended to secure the protection for children online. The recommendations build on a survey and consultation process on the topic – including workshops in which minors’ views were considered – as well as in-depth legal analysis. The CNIL highlight the need for these recommendations in light of major societal challenges concerning children’s online privacy, including, for example, the significant value of children’s data. The eight recommendations concern: i) the regulation of minors’ ability to act online; ii) the encouragement of minors to exercise their rights; iii) the support of parents in the digital education of minors; iv) parental consent for minors under 15; v) the promotion of parental tools which respect minors’ privacy and interests; vi) the reinforcement of information disclosure and minors’ rights by design; vii) age verification and parental consent in light of privacy; and viii) the provision of specific safeguards to protect minors’ interests. The topic of children’s online privacy deserves focused attention and the recommendations are, in this respect, welcome. The CNIL’s recommendations come only weeks after the UN Special Rapporteur on the Right to Privacy – Joseph A. Cannataci – delivered his latest report to the UN Human Rights Council, which also had a focus on children’s privacy.