{"id":72096,"date":"2020-02-16T20:14:35","date_gmt":"2020-02-16T19:14:35","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-16\/"},"modified":"2020-02-16T20:14:35","modified_gmt":"2020-02-16T19:14:35","slug":"data-protection-insider-issue-16","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-16\/","title":{"rendered":"Data Protection Insider, Issue 16"},"content":{"rendered":"<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/hudoc.echr.coe.int\/eng#{%22article%22:[%228%22],%22documentcollectionid2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22],%22itemid%22:[%22001-200442%22]}\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\"><strong>&#8211;\u00a0<\/strong><strong>ECtHR Rules on Telecommunications Subscriber Registration &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">On 30th January, the ECtHR ruled on the <em>Breyer<\/em> case. The facts of the case were as follows: two German nationals bought pre-paid SIM cards. In the course of buying these SIM cards, they were required to provide certain personal information \u2013 including, for example, names, addresses, telephone numbers, dates of birth etc.. This information, in line with Article 111 of the German Telecommunications Act, was required to be stored and, in line with Articles 112 and 113 of the same act, could be accessed and used by a number of German authorities \u2013 mostly for the prevention and detection of crime. The applicants challenged Articles 111, 112 and 113 of the Telecommunications Act on the basis these required a disproportionate collection and processing of their personal data and constituted an infringement of Article 8 \u2013 right to respect for private and family life \u2013 and Article 10 \u2013 freedom of expression \u2013 rights under the ECHR. The Court found no violation of Article 8 and did not consider Article 10. <a style=\"text-decoration: underline;\" href=\"https:\/\/hudoc.echr.coe.int\/eng#{%22article%22:[%228%22],%22documentcollectionid2%22:[%22GRANDCHAMBER%22,%22CHAMBER%22],%22itemid%22:[%22001-200442%22]}\" target=\"_blank\" rel=\"noopener\">Whilst many in the data protection community may have expected a judgment with high significance for EU data retention discussions, this is not what has been delivered<\/a>. The Court was cautious to highlight the substantial difference between the issues at hand in the case \u2013 the collection of subscriber data \u2013 and those in EU data retention discussions \u2013 the retention of communications metadata. Even in the judgment delivered, the Court left significant issues open. Two stand out. First, the Court made several statements as to the existence and function of safeguards concerning official access to stored data. The Court failed, however, to provide extensive explanation of the reasoning behind some of these statements \u2013 for example: \u2018the obligation to submit a written request for information was likely to encourage the authority to obtain the information only where it was sufficiently needed\u2019. Second, the Court recognised that legal obligations to retain subscriber personal data to combat crime represented a reasonable response in relation to \u2018changes in communication behaviour and in the means of telecommunications\u2019. The Court failed, however, to elaborate why the lack of empirical evidence that such retention led to a reduction in crime should not be considered in evaluating the reasonableness of the measure.\u00a0<\/span><\/p>\n<p>\u00a0<a style=\"text-decoration: none;\" href=\"https:\/\/edpb.europa.eu\/news\/news\/2020\/seventeenth-edpb-plenary-session_de\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\"><strong>&#8211;\u00a0<\/strong><\/span><span style=\"font-size: 14px; line-height: 21px;\"><strong>EDPB Adopts Seven Documents &#8211;<\/strong><\/span><\/a><\/p>\n<div>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">On 28th and 29th January, the EDPB had its 17th plenary session. <a style=\"text-decoration: underline;\" href=\"https:\/\/edpb.europa.eu\/news\/news\/2020\/seventeenth-edpb-plenary-session_de\" target=\"_blank\" rel=\"noopener\">As a result of the session, the EDPB adopted the following seven documents<\/a>:<\/span><\/p>\n<ul>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">Opinions on the Accreditation Requirements for Codes of Conduct Monitoring Bodies submitted to the Board by the Belgian, Spanish and French supervisory authorities (SAs).<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">Draft Guidelines on Connected Vehicles.<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">Final version of the Guidelines on the processing of Personal Data through Video Devices following public consultation.<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">Opinions on the draft accreditation requirements for Certification Bodies submitted to the Board by the UK and Luxembourg SAs.<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">Opinion on the draft decision regarding the Fujikura Automotive Europe Group\u2019s Controller Binding Corporate Rules (BCRs), submitted to the Board by the Spanish Supervisory Authority.<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">A letter in response to MEP Sophie in\u2019t Veld\u2019s request concerning the use of unfair algorithms.<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">Letter to the Council of Europe on the Cybercrime Convention.<\/span><\/li>\n<\/ul>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">The documents are not yet available on the EDPB website. The documents will be made available over the course of the coming days and weeks following the necessary legal, linguistic and formatting checks.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<p style=\"text-align: justify; margin: 0px; direction: ltr; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"http:\/\/curia.europa.eu\/juris\/document\/document.jsf;jsessionid=FDC3F2850403E0703C7284EB23DAC4A2?text=&amp;docid=222421&amp;pageIndex=0&amp;doclang=EN&amp;mode=lst&amp;dir=&amp;occ=first&amp;part=1&amp;cid=4131725  \" target=\"_blank\" rel=\"noopener\"><span style=\"color: #123256; font-size: 14px; line-height: 21px;\"><strong>&#8211; AG Opinion on Access to Telecommunications Data &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\">\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\">On 21<sup>st<\/sup> January Advocate General Pitruzzella delivered his Opinion in response to three preliminary ruling questions by the Estonian Supreme Court concerning access by law enforcement authorities to telecommunication data under Article 15 (1) Directive 2002\/58. In response to these three questions, AG Pitruzella came to two significant conclusions. <a style=\"text-decoration: underline;\" href=\"http:\/\/curia.europa.eu\/juris\/document\/document.jsf;jsessionid=FDC3F2850403E0703C7284EB23DAC4A2?text=&amp;docid=222421&amp;pageIndex=0&amp;doclang=EN&amp;mode=lst&amp;dir=&amp;occ=first&amp;part=1&amp;cid=4131725  \" target=\"_blank\" rel=\"noopener\">First, the AG argued that the categories of data collected, the temporal period in respect to which access to data are sought and the seriousness of the crime in question should be taken into account in evaluating the proportionality of an interference with fundamental rights<\/a>. Second, the AG argued that the requirement for independent review of the application for access to telecommunications data is not fulfilled where the review is carried out by a public prosecutor\u2019s office which then represents the public prosecution in subsequent judicial proceedings. The Opinion is further interesting from two perspectives. First: from the perspective of the questions the Opinion did not (wish to) answer. In the case, the CJEU was asked \u2013 by the European Commission \u2013 to rule on the compatibility of data retention as such with the CFREU. The AG, however, preferred not to directly answer this question. Instead, he merely observed: i) pursuant to the CJEU\u2019s existing case-law, general and indiscriminate retention is not compatible with the CFREU, and ii) that the Opinion of AG Campos S\u00e1nchez-Bordona from 15th January \u2013 which referred to the concept of \u201climited data retention\u201d \u2013 also did not exclude general retention in exceptional circumstances. Unfortunately, neither existing case law, nor the Opinion of AG Campos S\u00e1nchez-Bordona, provide clarity or finality in relation to the question of the legitimacy of data retention as such. Second, from the perspective of the argumentation employed in relation to the questions the Opinion did answer. The referring Court sought guidance as to whether access to telecommunication data should be restricted to serious crimes only. The AG concluded that Article 15(1) Directive 2002\/58 does not preclude access to this data in relation to serious crimes only. This seems contrary to CJEU&#8217;s prior conclusion in <em>Tele2<\/em>. In addition, AG Pitruzella did not provide detailed argumentation as to why access should be granted also in the framework non-serious crimes, beyond simply stating that serious crime is defined differently in different Member States and that sometimes the seriousness of the crime cannot be defined at the beginning of an investigation. The AG failed to observe, however, that there are cases where EU law already provides a clear list of offences which are considered serious \u2013 e.g. the case of retention of PNR data.<\/p>\n<p><a style=\"text-decoration: none;\" href=\"https:\/\/ec.europa.eu\/info\/sites\/info\/files\/cwp-2020-publication_en.pdf\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #123256; font-size: 14px; line-height: 21px;\"><strong>&#8211; The European Commission Publishes Working Programme 2020 &#8211;<\/strong><\/span><\/a><\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\">\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">On 29<sup>th<\/sup> January the European Commission published its Working Programme 2020. Annex I provides an informative overview of the upcoming 43 legislative and non-legislative initiatives. Of these, the following nine are digital policies and will likely have an impact on data protection:<\/span><\/p>\n<ul>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">A Strategy for Europe &#8211; Fit for the Digital Age (non-legislative, Q1 2020);<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">White Paper on Artificial Intelligence (non-legislative, Q1 2020);<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">European Strategy for Data (non-legislative, Q1 2020) concerning non-personal data;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">Follow-up to the White Paper on Artificial Intelligence, including on safety, liability, fundamental rights and data (<strong>legislative<\/strong>, incl. impact assessment, Article 114 TFEU, Q4 2020);<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">Digital Services Act (<strong>legislative<\/strong>, incl. impact assessment, Article 114 TFEU, Q4 2020);<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">Review of the Directive on security of network and information systems (NIS Directive) (<strong>legislative<\/strong>, incl. impact assessment, Article 114 TFEU, Q4 2020);<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">New Strategy for the Implementation of the Charter of Fundamental Rights (non-legislative, Q4 2020);<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">Report on the application of the General Data Protection Regulation (GDPR) (non-legislative, Q2 2020);<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">Alignment of relevant Union law enforcement rules with regard to data protection (non-legislative, Q2 2020)<\/span><\/li>\n<\/ul>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/ec.europa.eu\/info\/sites\/info\/files\/cwp-2020-publication_en.pdf \" target=\"_blank\" rel=\"noopener\">Most innovative is the Commission\u2019s proposal for a legislative instrument on Artificial Intelligence, including on fundamental rights and data \u2013 presumably focused on data protection and privacy<\/a>. The other topics are not as novel and refer to pre-existing EU initiatives. Amongst these topics, it will be interesting to see how the Commission envisages implementing the much-needed alignment of law enforcement rules with respect to data protection. This intended alignment surely implies an amendment to all existing relevant instruments. This is, of course welcome, given it is almost 4 years since Directive 2016\/680 entered into force. This raises the question as to why these instruments have not been amended so far, given it is almost 4 years since Directive 2016\/680 entered into force?<\/span><\/p>\n<\/div>\n<p style=\"text-align: justify; margin: 0px; direction: ltr; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/ico.org.uk\/about-the-ico\/news-and-events\/news-and-blogs\/2020\/01\/statement-on-data-protection-and-brexit-implementation-what-you-need-to-do\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #123256; font-size: 14px; line-height: 21px;\"><strong>&#8211;\u00a0ICO Release Statement on Brexit &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\">\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\"><span style=\"color: #123256; font-size: 14px; line-height: 21px;\">On the 29<sup>th<\/sup> of January, shortly prior to the UK leaving the EU, the ICO issued a statement about Brexit and EU-UK personal data flows. The focus of the statement is on the transition period, which will last until the end of December 2020. <a style=\"text-decoration: underline;\" href=\"https:\/\/ico.org.uk\/about-the-ico\/news-and-events\/news-and-blogs\/2020\/01\/statement-on-data-protection-and-brexit-implementation-what-you-need-to-do\/\" target=\"_blank\" rel=\"noopener\">In this regard, the ICO state: \u2018it will be <strong>business as usual<\/strong> for data protection. The GDPR will continue to apply. Businesses and organisations that process personal data should continue to follow our existing guidance for advice on their data protection obligations.\u2019<\/a> The ICO do recognise later in the statement, however, that the situation regarding data protection and EU-UK data flows following the transition period remains unclear. The statement is certainly welcome for businesses and organisations wondering about the significance of leaving the EU for EU-UK data flows. Moving forward, it will be fascinating to see what the future holds for UK-EU data flows. Early signs, however, indicate the road to a final stable framework may be rough and that the final framework may be less than ideal. In this regard, three factors, in particular, are noteworthy. First, the initial positions taken in EU-UK transition negotiations are adversarial. It is true these initial positions may represent mere sabre-rattling and that, even if these positions are retained, smooth data flows may be insulated from other political discussions. There is, however, no guarantee this will be the case. Second, there are already indications that UK uses of personal data may be problematic for EU Member States and that such uses may stand as obstacles to simply granting the UK adequacy. Finally, adequacy procedures themselves are lengthy affairs and are subject to political manoeuvring. Even if the UK retains the GDPR \u2013 or a GDPR copy \u2013 and is, substantially, adequate in all other relevant respects, this is still no a guarantee that an adequacy decision will be granted fast, or even at all.\u00a0 \u00a0\u00a0<\/span><\/p>\n<p><a style=\"text-decoration: none;\" href=\"https:\/\/iapp.org\/news\/a\/eu-parliament-debates-could-california-be-considered-adequate-on-its-own\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #123256; font-size: 14px; line-height: 21px;\"><strong>&#8211; European Parliament Discuss Californian Adequacy &#8211;<\/strong><\/span><\/a><\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px;\">\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\">\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\"><span style=\"color: #123256; font-size: 14px; line-height: 21px;\">Earlier this month, the European Parliament discussed the third annual review of the Privacy Shield agreement. The discussion was lengthy and several interesting, and differing, viewpoints, were presented. <a style=\"text-decoration: underline;\" href=\"https:\/\/iapp.org\/news\/a\/eu-parliament-debates-could-california-be-considered-adequate-on-its-own\/\" target=\"_blank\" rel=\"noopener\">In the course of the discussion, however, one particularly interesting question emerged: should the Privacy Shield agreement ever be struck down, could California receive adequacy on its own?<\/a> The discussion naturally emerged on the back of recognition of the strength, compared to federal protection, of the new Californian state data protection law, the CCPA. The discussion is interesting for several reasons. Two stand out. First, the discussion highlights the seldom-considered possibility for states, or territories, within countries, to apply for adequacy separately from the country itself \u2013 recall the discussions as to the adequacy of Quebec in 2014. Second, the discussion gives pause for serious reflection on the CCPA and other relevant Californian law, and their compatibility with European data protection laws. In the first instance, despite the fact the CCPA has been largely lauded in Europe for the strength of protection it offers, and even though it has even been referred to as a US GDPR, there remain significant differences between the CCPA and European data protection laws. Compare, for example, the scope of the CCPA as providing protection for consumers\u2019 personal data and the scope of the GDPR as providing protection for natural persons\u2019 personal data. In turn, even if the CCPA were a carbon copy of the GDPR, California is still a state in the US. Accordingly, California is still subject to federal laws. Some of these laws have been highlighted as problematic for EU data protection standards in the past and would need to be taken into account in any state adequacy process in the future.<br \/>\n<\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>&#8211;\u00a0ECtHR Rules on Telecommunications Subscriber Registration &#8211; On 30th January, the ECtHR ruled on the [&hellip;]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72096","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72096","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72096"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72096\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72096"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72096"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72096"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}