{"id":72103,"date":"2020-02-20T20:25:48","date_gmt":"2020-02-20T19:25:48","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-17\/"},"modified":"2020-02-20T20:25:48","modified_gmt":"2020-02-20T19:25:48","slug":"data-protection-insider-issue-17","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-17\/","title":{"rendered":"Data Protection Insider, Issue 17"},"content":{"rendered":"
\n

– European Parliament Discuss Californian Adequacy –<\/strong><\/span><\/a><\/p>\n

Earlier this month, the European Parliament discussed the third annual review of the Privacy Shield agreement. The discussion was lengthy and several interesting, and differing, viewpoints, were presented. In the course of the discussion, however, one particularly interesting question emerged: should the Privacy Shield agreement ever be struck down, could California receive adequacy on its own?<\/a> The discussion naturally emerged on the back of recognition of the strength, compared to federal protection, of the new Californian state data protection law, the CCPA. The discussion is interesting for several reasons. Two stand out. First, the discussion highlights the seldom-considered possibility for states, or territories, within countries, to apply for adequacy separately from the country itself \u2013 recall the discussions as to the adequacy of Quebec in 2014. Second, the discussion gives pause for serious reflection on the CCPA and other relevant Californian law, and their compatibility with European data protection laws. In the first instance, despite the fact the CCPA has been largely lauded in Europe for the strength of protection it offers, and even though it has even been referred to as a US GDPR, there remain significant differences between the CCPA and European data protection laws. Compare, for example, the scope of the CCPA as providing protection for consumers\u2019 personal data and the scope of the GDPR as providing protection for natural persons\u2019 personal data. In turn, even if the CCPA were a carbon copy of the GDPR, California is still a state in the US. Accordingly, California is still subject to federal laws. Some of these laws have been highlighted as problematic for EU data protection standards in the past and would need to be taken into account in any state adequacy process in the future.<\/span><\/p>\n

 <\/p>\n<\/div>\n

\n

\u00a0–\u00a0<\/strong><\/span>ECtHR on the Retention of DNA Profiles, Fingerprints and Photographs –<\/strong><\/span><\/a><\/p>\n

On 13th<\/sup> February, the ECtHR ruled on the case of Gaughran v. The United Kingdom<\/em>. The facts of the case were as follows: the applicant was arrested and convicted for drunk driving in Northern Ireland. In the course of his arrest and conviction, a range of personal data was taken from him, including: his DNA, from which a DNA profile was created; his fingerprints; and a photograph. This personal data was then retained for an indefinite period under national legislation. The applicant alleged that the indefinite retention of this data constituted a disproportionate interference with his Article 8 right to respect for private life. The Court unanimously ruled an interference had taken place. In this regard, the Court reasoned that \u2018the indiscriminate nature of the powers\u00a0of retention of the DNA profile, fingerprints and photograph of\u2026[a] person\u00a0convicted\u00a0of an\u00a0offence,\u00a0even if\u00a0spent,\u00a0without reference to the seriousness of the offence or the need for indefinite retention and in the absence of any real possibility of review,\u00a0failed\u00a0to strike a fair balance between the competing public and private interests.\u2019 The case is interesting for several reasons. Two deserve mention. First, the Court highlighted the unique post-mortem, familial, privacy interests engaged by DNA profiles.<\/a> Specifically, the Court highlighted that an indefinite DNA profile retention scheme was not comparable to an indefinite fingerprint or an indefinite photo retention scheme as DNA profiles could allow information on genetic relatives to be extracted and processed long after an initial donor had died. Second, the Court highlighted the significance of facial recognition technologies as transformative of the degree of interference with fundamental rights implied by the retention of photographs.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– ECtHR on the Retention of DNA Profiles (Again) –<\/strong><\/span><\/a><\/p>\n

On 13th<\/sup> February, the ECtHR ruled on the case of Trajkovski and Chipovski v. North Macedonia<\/em>. The facts of the case were as follows: in the course of their arrest and conviction for theft, the two applicants had DNA samples extracted from them. The DNA profiles created from these DNA samples were then retained by national law enforcement authorities. The applicants alleged the extraction and retention of, respectively, their DNA samples and DNA profiles, constituted an infringement of their Article 8 rights to respect for private life. In particular, they applicants alleged there was no clear legislative framework governing such extraction and retention in North Macedonia. The Court unanimously found an interference had taken place. In this regard, the Court argued that: \u2018the blanket and indiscriminate nature of the powers of retention of\u00a0the\u00a0DNA profiles of the applicants,\u00a0as persons convicted of an offence, coupled with the absence of\u00a0sufficient\u00a0safeguards available to the applicants,\u00a0fails to strike a fair balance between the competing public and private interests.\u2019 The case is less interesting than the similar case of Gaughran v. The United Kingdom<\/em> (discussed above). The legal logic sticks closely to established principles in ECtHR case law and the facts of the case are such that the finding is unsurprising. Nevertheless, there are noteworthy aspects of the ruling. In particular, the Court asserted that \u2018DNA material\u2019 constitute personal data \u2013 reiterating their position in the Marper<\/em> case.<\/a> This assertion adds further legal weight to the argument that DNA samples and other biological material should be regarded as personal data in EU data protection law.<\/p>\n

 <\/p>\n<\/div>\n

\n

– ECtHR on Lawyer-Client Confidentiality –<\/strong><\/span><\/a><\/p>\n

On 4th<\/sup> February, the ECtHR ruled in the Krugov and others<\/em> case concerning police searches of lawyers\u2019 homes and offices. The fifteen applicants were lawyers and clients of the applicant lawyers. Of the lawyers, only one<\/em> was under suspicion of having committed a criminal offence. The applicants\u2019 alleged that the search warrants and\/or the way the searches had been carried out were illegitimate and constituted a violation of their Article 8 rights. The ECtHR concurred and found a violation. The ECtHR asserted that the warrants and searches had an overly broad scope and that the domestic courts which had permitted them had failed to strike the right balance between the need for confidentiality in lawyer-client relationships and the need to investigate crime.<\/a> In particular, the ECtHR highlighted that adequate safeguards to protect lawyer-client confidentiality were missing from the warrants and searches. For example, there was no sifting of data carried out to make sure investigating authorities did not obtain data unrelated to the cases being investigated. The reasoning of the ECtHR in the case was notable for several reasons. Two stand out. First, although the ECtHR asserted that Russian law complied with the \u201cin accordance with the law\u201d criterion, the ECtHR also highlighted \u2013 in somewhat contradictory manner \u2013 that Russian law did not protect all types of professional confidentiality. Second, as the ECtHR pointed out on several occasions throughout the judgment, the domestic authorities failed to perform adequate necessity and proportionality assessments. This observation is unusual for a case concerning Article 8 and Russia. In other such cases, the ECtHR has tended to focus on the \u201cin accordance with the law\u201d requirement and has refrained from looking at the necessity and proportionality of measures.<\/span><\/p>\n

 <\/p>\n

\n

– EDPB Draft Guidelines on Connected Vehicles –<\/strong><\/span><\/a><\/p>\n

On 7th<\/sup> February, the EDPB published its draft Guidelines on Connected Vehicles and Mobility Related Applications. The draft Guidelines are welcome in dealing with an issue which is gaining in prominence and significance, as more and more types of vehicle integrate personal data processing systems. The draft Guidelines are also welcome in their holistic description of the data protection principles which are relevant in relation to connected vehicles and in how these principles might be discharged. With such a holistic approach, however, comes the natural downside that the depth of consideration of each provision is limited. For example, the Guidelines place a heavy emphasis on the need for data controllers to obtain consent from data subjects for processing in connected vehicle applications \u2013 according to Article 5(3) of the ePrivacy Directive. Yet, the Guidelines fail to provide any in-depth look at how consent might effectively be requested and obtained. Several aspects of the Guidelines are of interest. Two deserve mention. First, the Guidelines are directed at, amongst others, manufacturers.<\/a> On the one hand, this makes sense as manufacturers are key players in setting the data processing parameters of connected vehicles and mobility related applications. On the other hand, however, recall that EU data protection law has never directly applied to manufacturers. Second, the Guidelines suggest that, if initial processing is legitimated based on consent, further processing, even if not foreseen at the moment consent has been obtained, cannot be legitimated based on compatibility under Article 6(4) GDPR. This is a novel conceptualisation of the limits of compatible secondary processing not found in law. The draft Guidelines are now open for public consultation. The consultation process will run until the 20th<\/sup> March 2020.<\/span><\/p>\n

 <\/p>\n<\/div>\n

\n

– Irish DPC Opens Probes into Google and Tinder –<\/strong><\/span><\/a><\/p>\n

The Irish DPC has opened fresh probes into Google and Tinder. The investigation against Google concerns the processing of location data and the transparency of this processing. The probe follows complaints by national consumer organisations lodged at the end of 2018. The investigation against Tinder concerns the transparency of the processing of users\u2019 data and the handling of users\u2019 requests to exercise data subject rights. The Irish DPC pointed out that the latter investigation is not a response to any one complaint. Rather, the investigation was sparked by numerous similar complaints. The Irish DPC are to be applauded for taking the issue of transparency and data subjects\u2019 rights on platforms so seriously \u2013 even if the launch of the investigations took more than a year. The launch of the investigations is significant for several reasons. Two stand out. First: the investigations will likely result in the elaboration of specific principles concerning data subject transparency on platforms. Second: the investigations will likely result in clearer elaborations of how apps should realise users\u2019 data subject rights. In this regard, the investigations may provide a forum through which to clarify whether platforms are required to disclose the mechanics of their profiling algorithms to users<\/a>.
\n<\/span><\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

– European Parliament Discuss Californian Adequacy – Earlier this month, the European Parliament discussed the […]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72103","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72103"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72103\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72103"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72103"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}