– EDPB Adopts a Dispute Resolution Decision Concerning WhatsApp –
During the 53rd Plenary Session on 28th July, the EDPB adopted a binding dispute resolution decision pursuant to Article 65 GDPR. The decision concerns the draft decision adopted by the Irish Supervisory Authority (SA) following its inquiry into whether the transparency provisions of WhatsApp are compliant with Articles 12-14 GDPR. The dispute resolution mechanism was triggered by the Irish SA – the lead SA as concerns WhatsApp Ireland Ltd. In December 2020, it shared its draft decision with the concerned supervisory authorities, which raised objections ‘concerning, among others, the identified infringements of the GDPR, whether specific data at stake were to be considered personal data and the consequences thereof, and the appropriateness of the envisaged corrective measures.’ The lead SA disagreed with the raised objections, as a result of which no consensus was reached, and referred the draft decision to the EDPB under the dispute resolution mechanism. The binding decision adopted by the EDPB ‘addresses the merits of the objections found to be “relevant and reasoned” in line with the requirements of Art. 4 (24) GDPR.’ The next steps are the EDPB notifying the concerned SAs of the final decision, the lead SA adopting its final decision ‘on the basis of the EDPB decision’ and communicating it to the controller within a month of the EDPB decision, and the EDPB publishing its decision after the controller has been notified.
– EDPB Publishes Overview of DPA Resources and Enforcement Actions–
On 5th August, the EDPB published their ‘Overview on resources made available by Member States to the Data Protection Authorities and on enforcement actions by the Data Protection Authorities’. In terms of resources, the document covers: i) ‘Financial resources’; and ii) ‘Human resources’. In terms of enforcement actions, the document covers: i) ‘Total number of enforcement cases (national and cross-border cases)’; ii) ‘Complaints’; iii) ‘Ex officio Investigations’; iv) ‘Data breach Notifications’; v) ‘Exercise of SA’s corrective powers on national and cross-border cases’; vi) ‘Judicial appeal of the cases with a fine’; vii) ‘Timeframe to decide’; and viii) ‘The procedural rights of a complainant and a controller’. Questions concerning the capacity and actions of, and differences between, DPAs are key to understanding how data protection law functions in fact and as to where its deficiencies may lie. In this regard, the provision of statistics in the report is very welcome. The report contains a great range of comparative statistics concerning DPAs. These statistics deserve much closer scrutiny and more serious analysis than can be provided here. Nevertheless, even at first glance the figures make interesting reading. Consider, for example, the difference between the largest and smallest fines issued by DPAs in the last year: 50,000,000 Euros in France, compared to only 4,400 Euros in Lithuania’.
– EDPS Issues Opinion on Proposed Directive on Consumer Credits–
On 26th August, the EDPS released their ‘Opinion 11/2021 on the Proposal for a Directive on consumer credits’. The Opinion concerns European Commission’s ‘Proposal for DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on consumer credits’ – published on 30th June 2021. The EDPS makes positive general observations on the Proposal. In this regard, the EPDS, for example: ‘welcomes the objective of the Proposal, which aims to strengthen consumer protection, taking into account the increased digitalisation in the consumer credit sector’. Nevertheless, the EDPS also highlights a series of issues with the Proposal. On a general level, the EDPS highlights, for example: ‘An additional serious concern, not sufficiently addressed in the current Proposal, exists in relation to what types and sources of data are used by lenders to assess consumers’ creditworthiness and how artificial intelligence algorithms and interpret those data.’ More specific comments are then made in relation to: i) ‘Information and sources of information for the assessment of creditworthiness’; ii) ‘Procedures for creditworthiness assessment ’; iii) ‘Consumer rights regarding creditworthiness assessment’ iv) ‘Consultation of relevant databases in the context of the creditworthiness assessment’; v) ‘Consumer rights having regard to the personalised offer (loan pricing)’; vi) ‘Advertising and marketing of credit agreements; advisory and other services’; vii) ‘Relationship to existing Union legislation on personal data protection’; and viii) ‘Interaction with the proposed Artificial Intelligence Act’.
– EDPS Publishes Opinion on the Proposal for a Regulation on the Schengen Evaluations–
On 27th July, the EDPS released Opinion 10/2021 on the Proposal for a Council Regulation concerning Schengen evaluations. The Proposal seeks to replace and improve the existing Regulation on monitoring and evaluating the application of the Schengen acquis. In its Opinion the EDPS welcomes in particular three elements of the Proposal: (i) the special attention to the compliance with fundamental rights, including data protection; (ii) the enhanced cooperation with the relevant Union institutions, bodies and agencies, including with the EDPS, whose staff have participated as observers in the previous evaluations, and the clarity on the role of the observers; and (iii) the improved transparency provisions on the results of the evaluation. The Opinion raises two major concerns, in view of which it makes the following two recommendations: (i) the need for clarifying the scope of the evaluations by providing a non-exhaustive list of policy areas, including explicitly data protection and (ii) the need for clarifying the proposed scope of the evaluations of the Union bodies and agencies as long as they assist the Member States in the implementation of the different Schengen policies. Since the EDPS is responsible for supervising the compliance of these agencies with the applicable data protection provisions, the EDPS recommends clarifying how the proposed supervision will work in practice to avoid duplication, what competence the involved actors will have and how to guarantee the independence of the EDPS in these evaluations.
– EDPB on Migrant Surveillance in Italy–
On 10th August, the EDPB responded by letter to MEP Ms in’t Veld about the concerns raised by the MEP about the deployment of Automatic Image Recognition System amongst migrants in Italy. According to the letter, the system is deployed by the police authorities to monitor the disembarkation operations in Italy and could also be used ‘in general to operate in support of investigative activities.’ The EDPB noted the negative Opinion issued by the Italian Data Protection Authority about the technology. As to the contribution by the EDPB to the work on the issue of facial recognition, the EDPB expressed that they consider biometric surveillance a very sensitive area in need of regulation in view of the risks it poses to different fundamental rights, including data protection. They recall the critical stance they took on biometric surveillance in the law enforcement area in the joint EDPS-EDPB Opinion on the Proposed AI Act, that the EDPB are drafting Guidelines on the deployment of facial recognition technologies in the law enforcement field and that they will continue monitoring the emergence and use of technologies, ‘such as facial recognition, and their potential impact on the fundamental rights and daily lives of individuals, and will help to shape Europe’s digital future in line with our common values and rules, while continuing to work with other regulators and policymakers to promote regulatory coherence and enhanced protection for individuals.’
– UK GDPR Certification Scheme Conditions Approved by ICO–
On 19th August 2021, the Information Commissioner’s Office (ICO) – the UK’s DPA – confirmed approval of the first set of certification scheme criteria under the UK GDPR. Under the UK law – comparably to the GDPR itself: ‘Certification works by providing a framework for organisations to follow, which offers clients and customers assurance that they are adhering to strong standards.’ According to the ICO: ‘ADISA, experts in IT asset disposal services, have developed a standard that ensures personal data has been handled appropriately when IT equipment is re-used or destroyed….[whilst] Age Check Certification Scheme (ACCS) have developed criteria for two schemes, the first relating to age assurance and the second looking at children’s online privacy.’ Certification – and comparable mechanisms – constitute means by which the abstract principles of data protection law can be translated into more concrete conditions, in specific circumstances. Accordingly, they hold much promise as a bridge between the text of the law and the realisation of the law in fact. In this regard, the adoption of the schemes should be met with interest both as regards their content – they deal with substantively pertinent and important issues – as well as regards the procedures by which they should function and the procedures by which they were adopted.