Data Protection Insider, Issue 55

–  ECtHR Considers Domestic Violence and Cyberviolence in Volodina (No. 2)

On 14th September, the ECtHR ruled in the case of Volodina v. Russia (no. 2). In essence, the case concerned the applicant’s claim that the Russian authorities had not acted effectively in investigating cyberviolence – including, among other things, the publication of photos and the creation of fake social media profiles – by an individual with whom the applicant had had a relationship. The Court found a violation of Article 8. In doing so, the Court highlighted general principles regarding states’ positive obligations in relation to domestic violence and cyberviolence: ‘the concept of private life includes a person’s physical and psychological integrity which the States have a duty to protect, even if the danger comes from private individuals…The particular vulnerability of victims of domestic violence and the need for active State involvement in their protection has been emphasised both in international instruments and in the Court’s well-established case-law…The acts of cyberviolence, cyberharassment and malicious impersonation have been categorised as forms of violence against women and children capable of undermining their physical and psychological integrity in view of their vulnerability…The Court has recently pointed out that “cyberharassment is currently recognised as an aspect of violence against women and girls and can take a variety of forms, such as cyber‑violations of private life … and the taking, sharing and handling of information and images, including intimate ones”…Online violence, or cyberviolence, is closely linked with offline, or “real-life”, violence and falls to be considered as another facet of the complex phenomenon of domestic violence…The States have a positive obligation to establish and apply effectively a system punishing all forms of domestic violence and to provide sufficient safeguards for the victims…The Court has found that this positive obligation…includes in particular: (a) the obligation to establish and apply in practice an adequate legal framework affording protection against violence by private individuals; (b) the obligation to take the reasonable measures in order to avert a real and immediate risk of recurrent violence of which the authorities knew or ought to have known, and (c) the obligation to conduct an effective investigation into the acts of violence’. In relation to the specific facts of the case, the Court concluded that: ‘even though the existing framework equipped the authorities with legal tools to prosecute the acts of cyberviolence of which the applicant was a victim, the manner in which they actually handled the matter – notably a reluctance to open a criminal case and a slow pace of the investigation resulting in the perpetrator’s impunity – disclosed a failure to discharge their positive obligations under Article 8 of the Convention. There has accordingly been a violation of that provision.’


EDPS Issues Opinion on the AML/CFT Legislative Proposals Package

On 22 September, the EDPS issued an Opinion on the AML/CFT Legislative Proposals Package. The EDPS made a huge number of recommendations meant to improve the Proposals in data protection terms. Amongst these, we identified five important recommendations: (1) identifying in the proposals the categories of personal data which may be processed in the framework of the future legislative acts, including the conditions and limits to sensitive data and on the scope of the processing of personal data relating to criminal offences and convictions; (2) regulating, on a need-to-know basis, in line with the necessity and proportionality principles, the access to the data to be stored on the beneficial ownership registers by the different authorities that might be granted access – on that point the EDPS considers that general access by the public, including by NGOs which work on investigating money laundering activities, might be problematic; (3) information should be gathered on the effectiveness of the registers in fighting money laundering and financing of terrorism; (4) when the future authority which will coordinate the supervision and enforcement of the rules (AMLA) issues guidelines on how the authorities should perform data analysis, they should consult EDPS and the EDPB, and should ideally aim for investigative rather than intelligence methods; and (5) when analysing customer data, the obliged entities, e.g. financial services, should take special care to ensure the accuracy of the data, including with their sources. We note that there are further interesting points to specific provisions in the legislative package, which we invite interested readers to check out in the Opinion.


EDPB Holds 55th Plenary Meeting

On 24th September, the EDPB held its 55th Plenary Meeting online. According to the minutes of the meeting, the work of the EDPB is currently focused on (1) the Opinion on the adequacy decision with South Korea under the GDPR and (2) the ‘(c)ooperation on the complaints by NYOB on the issue of cookies and dark patterns’, on which point the EDPB wishes to establish a taskforce.


EU Cybersecurity Law for Connected Devices

Euractiv reports that, on 15th September, Ursula von der Leyen – President of the European Commission – announced ‘a Cyber Resilience Act aimed at setting common cybersecurity standards for connected devices.’ Reportedly, the Act should function in response to the dangers posed by the possibilities to infiltrate connected devices, an issue which remains inadequately addressed in current EU approaches to cybersecurity. The Act would constitute an addition to an existing Directive on Security of Network and Information Systems proposal (NIS2) – aimed at ‘address[ing] the deficiencies of the previous NIS Directive, to adapt it to the current needs and make it future-proof.’ Specific details on the Act, however, remain scarce and it remains to be seen precisely what the substance of the Act will be and how the Act will pass through EU legislative procedures.


Irish DPC and Garante Issue Statement on Facebook Glasses

On 17th September, the Irish DPC and the Garante – the Italian DPA – issued a joint statement on the Facebook View product. Facebook View – a collaboration between Facebook and Ray-Ban – is a wearable technology product which, according to the DPAs, uses ‘voice-activated controls [to allow] a wearer of [specially-built] glasses to record short videos and take photos for posting on social media.’ The product was launched in Ireland and Italy in the same week the statement was released. In the statement, the two DPAs highlight their concerns about ‘the means by which those captured in the videos and photos can receive notice they are being recorded’. The DPAs accept that other devices are capable of performing similar recording functions, but consider that such devices – such as smartphones – are ‘visible as the device by which recording is happening, thereby putting those captured in the recordings on notice.’ In contrast, they observe that: ‘With the glasses, there is a very small indicator light that comes on when recording is occurring [and] [i]t has not been demonstrated to the DPC and Garante that comprehensive testing in the field was done by Facebook or Ray-Ban to ensure the indicator LED light is an effective means of giving notice.’ In this regard, the DPAs call on ‘Facebook Ireland to confirm and demonstrate that the LED indicator light is effective for its purpose and to run an information campaign to alert the public as to how this new consumer product may give rise to less obvious recording of their images.’ We recall there have been other smart-glasses products available before now, which have not fared well. It will be interesting to follow the trajectory of this latest effort and to consider the differences in public and policy reactions, if any, and to see how these influence the course of adoption. 


– WhatsApp to Appeal Irish DPC’s Fine 

On 16th September, the Irish Times reported that WhatsApp has launched an appeal with the Irish High Court against the Data Protection Commission’s (DPC) decision to impose upon WhatsApp a record fine of € 225 million, which WhatsApp considers disproportionately high. This is despite the fact that, according to the Irish Times, WhatsApp had expected an even higher fine. In addition, WhatsApp seeks to quash the decision in its entirety and to challenge Irish law. According to the Irish Times, ‘WhatsApp claims the DPC’s decision is unconstitutional and incompatible with the European Convention on Human Rights (ECHR)’, in particular with the right to fair trial in Article 6 ECHR. According to WhatsApp, its right to fair hearing was breached, because the Irish DPC, as set-up under Irish law, ‘does not constitute an independent and impartial tribunal.’ It also claims that the fine is not constitutional, because it interferes with its constitutional property rights. However, Irish law allows only a challenge against the administrative fine itself. Finally, ‘WhatsApp also intends to challenge the European Data Protection Board instruction to the Court of Justice for the European Union.’ To the best of our knowledge, if WhatsApp indeed challenges the EDPB decision, which influenced the Irish DPC’s final decision, this will be the first such challenge of an EDPB decision.


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply