{"id":72109,"date":"2020-03-05T20:32:18","date_gmt":"2020-03-05T19:32:18","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-18\/"},"modified":"2024-05-11T23:11:20","modified_gmt":"2024-05-11T21:11:20","slug":"data-protection-insider-issue-18","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-18\/","title":{"rendered":"Data Protection Insider, Issue 18"},"content":{"rendered":"<div class=\"txtTinyMce-wrapper\" style=\"font-family: Arial, Helvetica Neue, Helvetica, sans-serif; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/edpb.europa.eu\/news\/news\/2020\/eighteenth-plenary-session-adopted-documents_de \" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\"><strong>&#8211;\u00a0<\/strong><strong>EDPB Adopts Four Documents &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">On 18<sup>th<\/sup> and 19<sup>th<\/sup> January 2020 the EDPB had its 18<sup>th<\/sup> plenary session. <a style=\"text-decoration: underline;\" href=\"https:\/\/edpb.europa.eu\/news\/news\/2020\/eighteenth-plenary-session-adopted-documents_de \" target=\"_blank\" rel=\"noopener\">As a result of the session, the EDPB adopted the following four documents<\/a>:<\/span><\/p>\n<ul>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">EDPB Contribution to the evaluation of the GDPR under Article 97<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">Guidelines on Articles 46 (2) (a) and 46 (3) (b) for transfers of personal data between EEA and non-EEA public authorities and bodies<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">Statement on privacy implications of mergers<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">Letter to Hoda<\/span><\/li>\n<\/ul>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">The documents are already available on the EDPB website. The first document \u2013 the Contribution to the evaluation of the GDPR \u2013 is part of the broader discussion around the two-year review of the GDPR \u2013 as discussed below. The second document \u2013 guidelines on data transfers \u2013 is open for consultation until 6<sup>th<\/sup> April 2020. The third document expresses data protection concerns regarding the planned acquisition of Fitbit, Inc. by Google LLC and highlight the need for a risk assessment to be conducted by both parties. The fourth document concerns a notification that the Italian Supervisory Authority has withdrawn its request for opinion by the EDPB concerning Hoda.<\/span><\/p>\n<\/div>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\">\u00a0<a style=\"text-decoration: none;\" href=\"https:\/\/edpb.europa.eu\/sites\/edpb\/files\/files\/file1\/edpb_contributiongdprevaluation_20200218.pdf\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\"><strong>&#8211;\u00a0<\/strong><\/span><span style=\"font-size: 14px; line-height: 21px;\"><strong>EDPB Position on the GDPR Two Year Review &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"word-break: break-word; line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">On 18<sup>th<\/sup> February 2020, the EDPB released its Opinion on the two-year evaluation of the GDPR. <a style=\"text-decoration: underline;\" href=\"https:\/\/edpb.europa.eu\/sites\/edpb\/files\/files\/file1\/edpb_contributiongdprevaluation_20200218.pdf\" target=\"_blank\" rel=\"noopener\">In summary, the EDPB state: \u2018In conclusion, after only 20 months of GDPR application, the EDPB takes a positive view of the implementation of the GDPR and is of the opinion that it is premature to revise the legislative text at this point in time\u2019.<\/a> The review thus contains little substantive criticism of the GDPR itself. The review is, however, worth reading as it contains a treasure trove of information on DPA activities in relation to the interpretation and enforcement of the GDPR \u2013 particularly in relation to DPA collaboration. It should be noted, however, that the position of the EDPB \u2013 that no changes to the text are necessary \u2013 is not shared by other Opinions submitted in the review process. Certain of these highlight a range of practical and conceptual issues with the GDPR in need of specific amendment. One example is the extensive Opinion offered by the German Forum Privatheit project. This Opinion explicitly highlights several necessary changes to the text of the GDPR which would both clarify the law and improve the protection offered to individual rights. For example, the Opinion highlights the need to clarify the data minimisation principle to explicitly recognise the data avoidance principle \u2013 the principle that: \u2018that the controller is obliged to select a specific purpose in such a way that as little personal data as possible is required for processing.\u2019 <\/span><\/p>\n<\/div>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/edps.europa.eu\/sites\/edp\/files\/publication\/20-02-24_opinion-eu-uk-partnership_en.pdf\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #123256; font-size: 14px; line-height: 21px;\"><strong>&#8211; EDPS Offers Opinion on UK Partnership Negotiations &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\">On 24<sup>th<\/sup> February, the EDPS published an Opinion on the opening of negotiations for a new partnership with the UK. The Opinion is broken down into three substantive parts. The first part highlights the need to ensure an adequate level of protection for fundamental rights \u2013 in particular for the right to the protection of personal data \u2013 across all aspects of a future partnership. The third part highlights the need for rules concerning the international collaboration between regulators. The second, and most interesting, part concerns the conclusion of a future adequacy decision for the UK. On the one hand, the EDPS recognises the utility of an adequacy decision: \u2018[the EDPS] underline[s] the importance of such assessment for the future cooperation between the EU and the UK, be it under the Regulation (EU) No 2016\/679 (hereinafter \u2018GDPR\u2019) or the Directive (EU) No 2016\/680 (hereinafter \u2018Law Enforcement Directive\u2019).\u2019 <a style=\"text-decoration: underline;\" href=\"https:\/\/edps.europa.eu\/sites\/edp\/files\/publication\/20-02-24_opinion-eu-uk-partnership_en.pdf\" target=\"_blank\" rel=\"noopener\">On the other hand, however, the EDPS draws attention to the fact that an adequacy decision is contingent on the UK providing an adequate level of protection for personal data.<\/a> In this regard, the EDPS \u2018draws attention to the European Parliament\u2019s Resolution adopted on 12 February 2020, which identifies a number of concerns as to the level of protection of personal data in the UK\u2019. As discussed previously in this newsletter, the adequacy process is not a forgone conclusion. The process is subject to politics \u2013 who knows what EU-UK relations will look like after negotiations are finished. In turn, the substantive standard of protection offered under UK law \u2013 in particular in relation to security and surveillance \u2013 has long been a concern of privacy advocates.<\/p>\n<\/div>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CONSIL:ST_5979_2020_INIT&amp;from=EN \" target=\"_blank\" rel=\"noopener\"><span style=\"color: #123256; font-size: 14px; line-height: 21px;\"><strong>&#8211; The Croatian Presidency: A New Try at e-Privacy &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\">The Croatian Presidency has been trying to overcome the deadlock in negotiations on the draft e-Privacy Regulation. In this regard, the Presidency has tabled amendments to provisions concerning two main topics in the draft proposal. The first topic concerns the legitimate grounds for processing of electronic communications data, content data, metadata and data concerning child sexual abuse (Article 6) \u2013 amendments to data storage and erasure principles (Article 7) have also been proposed to reflect the content of amendments to Article 6. The second topic concerns the protection of the end user\u2019s terminal equipment information \u2013 e.g. when connecting to a Wifi network (Article 8). In terms of content, all proposed amendments seek to extend the range of legitimate grounds for processing of personal data. <a style=\"text-decoration: underline;\" href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CONSIL:ST_5979_2020_INIT&amp;from=EN \" target=\"_blank\" rel=\"noopener\">Particularly significant is the introduction of legitimate interest as a legal ground for the processing of metadata and terminal equipment information \u2013 where previously only consent could legitimate processing.<\/a> The fact that these amendments expand the range of possibilities available to legitimate data processing constitutes a dilution of protection in comparison to the current e-Privacy framework. It looks likely, especially considering current discussions on AdTech, that these amendments will face heavy criticism and resistance.<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/ec.europa.eu\/info\/sites\/info\/files\/commission-white-paper-artificial-intelligence-feb2020_en.pdf\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #123256; font-size: 14px; line-height: 21px;\"><strong>&#8211; The Commission Issues European Strategies on AI and Data &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/ec.europa.eu\/info\/sites\/info\/files\/commission-white-paper-artificial-intelligence-feb2020_en.pdf\" target=\"_blank\" rel=\"noopener\">On 19<sup>th<\/sup> February 2020 the European Commission released two important strategies<\/a>:<\/span><\/p>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">\u00a0<\/span><\/p>\n<ul>\n<li style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">On Artificial Intelligence &#8211; A European approach to excellence and trust; and<\/span><\/li>\n<li style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">A European strategy for data.<\/span><\/li>\n<\/ul>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">\u00a0<\/span><\/p>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">The strategy on AI outlines the European approach to AI in a global world. The strategy seeks to propose policy options to achieve two main objectives: to promote the uptake of AI; and to address the risks of AI. To promote the uptake of AI, the strategy seeks to reinforce Europe\u2019s industrial and technical capacities to boost Europe\u2019s significance in the field globally. To address the risks of AI \u2013 especially privacy, data protection, discrimination and product safety risks \u2013 the Commission is considering regulatory measures. The European strategy for data \u2018outlines\u00a0 a\u00a0 strategy\u00a0 for\u00a0 policy\u00a0 measures\u00a0 and\u00a0 investments\u00a0 to\u00a0 enable\u00a0 the data\u00a0 economy\u00a0 for\u00a0 the\u00a0 coming\u00a0 five\u00a0 years\u2019.\u00a0 The strategy seeks to make Europe a hub for data, which should also serve as a measure to boost Europe\u2019s technical and industrial capacity for AI. The strategy for data focusses on four pillars: data access and use; investments and infrastructure; competences and skills; and creating common European data spaces in nine strategic sectors and domains &#8211; including industrial (manufacturing), Green Deal, mobility, health, financial, energy, agriculture, public administration and skills data space. The two strategies are open for public consultation \u2013 until 19<sup>th<\/sup> and 31<sup>st<\/sup> May 2020 respectively.<\/span><\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/techcrunch.com\/2020\/02\/27\/facebook-has-paused-election-reminders-in-europe-after-data-watchdog-raises-transparency-concerns\/\" target=\"_blank\" rel=\"noopener\"><span style=\"color: #123256; font-size: 14px; line-height: 21px;\"><strong>&#8211; Irish DPA Attention Changes Facebook Election Practices &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"text-align: justify; font-size: 14px; margin: 0px; direction: ltr; line-height: 21px; word-break: break-word;\"><span style=\"color: #123256; font-size: 14px; line-height: 21px;\">The Irish DPA has requested information from Facebook about its Election Reminder Feature. Specifically, the Irish DPA has requested information regarding which data are collected from users and how these data are used. In this regard, the DPA sought a set of remedial actions from Facebook prior to the Irish elections on 8<sup>th<\/sup> February. In response to DPA requests for information and for remedial action, Facebook decided to pause the deployment of the feature in relation to elections across Europe \u2013 although the duration of the pause remains unclear. The Election Reminder Feature aims to remind individuals to vote on election day and to help them find their polling station. Given the explicit connection of the feature to elections and voting \u2013 and therefore to core democratic processes \u2013 and the recognised power of platforms to reach and influence targeted groups of individuals, it is no surprise the feature has raised concerns. From a broader perspective, the case is interesting for at least two reasons. First, the case provides further proof that the issue of data protection and democracy remains high on DPA agendas. <a style=\"text-decoration: underline;\" href=\"https:\/\/techcrunch.com\/2020\/02\/27\/facebook-has-paused-election-reminders-in-europe-after-data-watchdog-raises-transparency-concerns\/\" target=\"_blank\" rel=\"noopener\">Second, the case shows that data protection regulatory action from within the EU is seen as important enough to shift the practises of platform giants.<\/a> In this regard, it would be interesting to have further insight into Facebook\u2019s internal logic in processing and responding to such DPA requests and investigations. A number of questions present themselves: how does Facebook understand DPA requests; where are the centres of power within the company in relation to EU data protection practises; and are these changing over time?<br \/>\n<\/span><\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>&#8211;\u00a0EDPB Adopts Four Documents &#8211; On 18th and 19th January 2020 the EDPB had its [&hellip;]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72109","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72109","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72109"}],"version-history":[{"count":1,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72109\/revisions"}],"predecessor-version":[{"id":72383,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72109\/revisions\/72383"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72109"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72109"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}