Data Protection Insider, Issue 58

–  EDPB Adopts Opinions on Belgian BCRs

On 26th October, the EDPB adopted two Opinions concerning Belgian companies’ BCRs: i) ‘Opinion 33/2021 on the draft decision of the Belgian Supervisory Authority regarding the Controller Binding.

Corporate Rules of Carrier’; and ii) ‘Opinion 34/2021 on the draft decision of the Belgian Supervisory Authority regarding the Controller Binding Corporate Rules of Otis’. In both cases, the EDPB considered the proposed BCRs as unproblematic and that they adhered to all relevant requirements. The Opinions relate to BCRs, the content of which may be of interest to those dealing with the creation and substantive conditions relevant for functional and legitimate BCRs. The Opinions themselves are relatively short and limited in terms of discussion of the substantive content of the BCRs in question. The Opinions, however, are nevertheless interesting as they provide an insight into the procedures via which BCRs are adopted, and the conditions around which these procedures revolve.


GPA Publishes Highlights of 2021 Closed Sessions

The 43rd GPA Closed Sessions were held on 20th-21st October 2021. ‘Resolutions were discussed and agreed at the conference, giving a shared view on a range of important current topics:

  • Data sharing for the public good;
  • Children’s digital rights;
  • Government access to data; and
  • The future of the Global Privacy Assembly

Other topics discussed in detail included international enforcement cooperation and regulatory sandboxes.’ The resolution are available on GPA’s website, where the strategic plan for the following two years can also be found.



– Draft Impact Assessment of the Upcoming EU Data Act Leaked

On 27th October, the independent Regulatory Scrutiny Board which monitors the Impact Assessment of new EU legislative proposals rejected the proposed EU Data Act, according to a leaked Impact Assessment. The identified problems are the insufficient information about the conditions under which governments may access data, the proposed compensatory provisions for businesses and the unclear relationship between the proposal and other legislative acts. The leaked Impact Assessment, as seen by EURACTIV, nevertheless provides an overview of the content of the proposal. The proposal, which is part of the European Strategy on Data and is expected to be adopted at the beginning of 2022, is supposed to boost both the data economy and help governments adopt better policies and services. According to EURACTIV, the proposed Data Act will focus on regulating the following matters: (1) consumer and business access to data, although EURACTIV reports that the Act might not anchor ‘significant access rights’, which might be rather regulated by other means, e.g. contracts; (2) access to data by public authorities, which would be ‘based on a list of purposes defined at the EU level limited to “only the most pressing social needs, where other means of accessing data are not available,” including exceptional circumstances, environmental protection and public health.’ A balance between the business interests, fundamental rights and public interests is supposed to be achieved; (3) interoperability, especially to enable the switching of cloud providers; and (4) a ban on data transfers to Third States whose laws are in conflict with EU and Member State legislation. Interested readers may read the updated EURACTIV article for more details of the Act.


– OAIC and ICO Investigation into Clearview AI –

On 3rd November, the Australian and UK DPAs announced the completion of their investigation into Clearview AI, which began in 2020. According to the announcement, ‘the ICO is considering its next steps and any formal regulatory action that may be appropriate under the UK data protection laws.’ The Australian DPA (the OAIC) however, has already concluded that: ‘Clearview AI, Inc. breached Australians’ privacy by scraping their biometric information from the web and disclosing it through a facial recognition tool.’ More specifically, the OAIC found that: ‘Clearview AI breached the Australian Privacy Act 1988 by:…collecting Australians’ sensitive information without consent…collecting personal information by unfair means…not taking reasonable steps to notify individuals of the collection of personal information…not taking reasonable steps to ensure that personal information it disclosed was accurate, having regard to the purpose of disclosure…not taking reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles.’ In consequence, ‘Clearview AI [should] cease collecting facial images and biometric templates from individuals in Australia, and to destroy existing images and templates collected from Australia’. The conclusion of the investigation is interesting from several perspectives. In the first instance, whilst the substance of the decision made on the back of the investigation is Australian, and relates to Australian law, the investigation was international, and many of the criticisms may have resonance within Europe. In turn, the outcomes of the investigation provide further valuable input to the emerging collage of information related to the issue of the legitimacy of AI and facial recognition.


IAB Provides Update on Belgian Investigation

On 5th November, the IAB published an update of the Belgian DPA’s ‘investigation of IAB Europe and its role in the Transparency & Consent Framework (TCF)’. The IAB announce that: ‘The draft ruling will apparently identify infringements of the GDPR by IAB Europe, but it will also find that those infringements should be capable of being remedied within six months following the issuing of the final ruling, in a process that would involve the APD [the Belgian DPA] overseeing the execution of an agreed action plan by IAB Europe.’ The IAB further clarify that: ‘The draft ruling is expected to be shared with other Data Protection Authorities…in the coming 2-3 weeks under the Cooperation Procedure laid down in the GDPR. Those DPAs will have 30 days to review it. Depending on the outcome of that review, the APD may adopt a final ruling or the matter may be referred to the European Data Protection Board for a binding decision.’ Given the significance of investigations into AdTech for data processing business models, the final decision of this investigation should be followed with interest.


– First Review Meeting of the EU-Japan Mutual Adequacy Decisions –

On 26th October, the EU Commission, data protection authorities and Japanese authorities met to carry out the first review of the mutual adequacy decisions between the EU and Japan, which were adopted in 2019. The review covered a broad range of topics, including the application of the agreements, the relevant legal developments and access to personal data by governments. From the press release quoting Commissioner Didier Reynders and Shuhei Ohshima, Personal Information Protection Commission of Japan, the commitment of both partners to upholding data protection and the free flow of data between the regions becomes evident. The final step to completing the review this year are the publication of the reports on the functioning of each adequacy decision by the EU and Japan. 


DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply