{"id":72170,"date":"2020-09-03T21:27:59","date_gmt":"2020-09-03T19:27:59","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-30\/"},"modified":"2020-09-03T21:27:59","modified_gmt":"2020-09-03T19:27:59","slug":"data-protection-insider-issue-30","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-30\/","title":{"rendered":"Data Protection Insider, Issue 30"},"content":{"rendered":"
\n

–\u00a0<\/strong>EDPB Handles First Dispute Resolution Case –<\/strong><\/span><\/a><\/p>\n

The Irish DPC has triggered, for the first time, the dispute resolution mechanism under Article 65 GDPR<\/a>. The case concerns the Irish DPC\u2019s investigation into, and decision on, a data security breach by Twitter \u2013 for which it acts as a lead supervisory authority. As a matter of substance, the disagreement seems to be about the sanction to be imposed on Twitter. However, no further information is available. The dispute resolution mechanism is meant to solve conflicts of opinion between the lead DPA and the other concerned DPAs, in which case the EDPB should take a binding decision by a 2\/3 majority. The EDPB\u2019s final decision is supposed to be adopted within 2,5 months at latest after the mechanism has been triggered. Some experts note that triggering the dispute resolution mechanism is a positive sign that the GDPR is being interpreted and applied consistently throughout the EU and that it is surprising that it took so long for the mechanism to be triggered. We note that such dispute resolution cases might make it politically more challenging for the companies under investigation to influence the outcome of investigations concerning them as well as to have them overturned afterwards.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

–\u00a0<\/strong><\/span>ICO Releases Findings of Data Protection Survey –<\/strong><\/span><\/a><\/p>\n

On 27th<\/sup> August, the ICO released its Annual Track survey results. The Annual Track is a yearly survey of over 2000 people, commissioned by the ICO, on the subject of data protection<\/a>. The results of the survey provide vital empirical data on the public\u2019s perception of data processing and data protection \u2013 data often absent from data protection discussions \u2013 and make interesting reading. Amongst other things, the ICO found that: \u2018There has been a significant shift towards the middle ground in terms of the public\u2019s trust and confidence in companies and organisations storing and using personal information. Levels of both high and low trust and confidence have decreased\u2026The data protection concerns of most importance to the public and which would most stop them using a company\/organisation are having their personal information stolen or shared\/sold to third parties and being a victim of fraud\/scams\u2026There is substantial appetite to exercise both data protection and Freedom of Information Act (FOIA) rights, but there is often uncertainty around how to do this\u2026[and]\u2026The public are often willing to trade personal information for access to products and services\u2019. It would be interesting to consider whether the findings of the survey remain valid for other European countries as well as to consider how the findings in the survey compare with other, previous, surveys. <\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

\u00a0–\u00a0<\/strong><\/span>Special Rapporteur to Consider Children\u2019s Privacy –<\/strong><\/span><\/a><\/p>\n

Joseph Cannataci, the UN Special Rapporteur on the Right to Privacy, \u2018has decided to examine the privacy rights of children and how this right interacts with the interests of other actors as the child develops the capacity for autonomy\u2019. In this regard, the Special Rapporteur calls for submissions from all interested stakeholders \u2018in order to obtain a wide range of perspectives to inform the research\u2019. The result of the process will be the publication of a report, which will be presented to the Human Rights Council in March 2021. The Special Rapporteur provides a list of topics stakeholder contributions might cover, including: \u2018Parental, familial, community, governmental, commercial and other interests that influence the development of the child and their autonomy;\u2026Official identity recognition including but not limited to birth registration and other official identity papers;\u2026The development of personal identity (or \u2018self\u2019) including gender identity and expression; The strengths and challenges of \u2018age based\u2019 and \u2018age verification\u2019 approaches.\u2019 Written contributions, ideally in English, should be received by 30th<\/sup> September 2020 \u2013 addresses for submissions are listed in the link below<\/a>. <\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

\u00a0–\u00a0<\/strong><\/span>The Austrian DPA, Legal Persons and Data Protection –<\/strong><\/span><\/a><\/p>\n

The Austrian DPA recently held that \u2018a legal person has the constitutional right to data protection under \u00a7 1 DSG (Austrian Data Protection Act) and is entitled to lodge a complaint before the DSB\u2019. The case concerned a company which complained to the Austrian DPA that their personal data had been unfairly processed by the Austrian Federal Office for Safety in Health Care during an audit. Although the complaint was eventually rejected on substantive grounds, the DPA did recognise the company\u2019s standing as a subject under the Austrian Data Protection Act. The case was decided by a DPA, concerns local law and norms and has apparently received little attention around Europe. Nevertheless, the European data protection community should take note. The decision recognises the legitimacy, and constitutional value, in providing legal persons with data protection<\/a>. In doing so, the recognition reminds us that provision of protection to legal persons is conceivable under EU data protection law. This is a possibility with a long history in Europe and which raises numerous interesting conceptual and practical questions. It is also, however, a possibility seldom discussed since the GDPR has entered into force.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– GDPR Fines Drop in Q2 2020 –<\/strong><\/span><\/a><\/p>\n

A report by IT Governance notes that, in Q2 of 2020, EU DPAs have issued fines totalling only 2.9 million Euros<\/a>. This number constitutes a significant drop from the 49 million Euros in fines issued in Q1. It appears that Spain issued the highest number of fines. Some have argued that the drop in the amount of fines is to be attributed to COVID-19. At the same time, they acknowledge that not all countries consistently report on their fines and thus the numbers might in fact be higher than suggested by the report. We note that the drop in the amount of fines might also be attributed to the fact that some investigations take a longer time due to the complexity of the case, which might lead to increases in the fines in subsequent quarters\/years. It is interesting that a record is being kept on the matter of fines, as they have been praised as one of the novelties of the GDPR supposed to lead to higher compliance and a deterrent effect on data protection violations. It would be interesting to study their impact long-term.<\/p>\n<\/div>\n

 <\/p>\n

\n

– Real-Time Bidding Challenged –<\/strong><\/span><\/a><\/p>\n

Oracle and Salesforce are facing a multinational multi-billion-euro legal challenge. The challenge has been brought by the Privacy Collective on behalf of millions of internet users and has been submitted at the District Court of Amsterdam. A legal complaint will supposedly also be submitted at a later date in the UK. In substance, the complaint concerns real-time bidding \u2013 in the course of which adtech companies collect information about the internet usage of individual users via cookies and then sell them to advertisers. Whereas a huge number of companies engage in such practices, the Privacy Collective claims that Oracle and Salesforce engage in the practice without proper consent and without adequately informing internet users<\/a>. Both companies deny the allegations. To the best of our knowledge, this is one of the rare instances of a collective action \u2013 provided for under Article 80 GDPR. We note that regardless of the outcome of the challenge, the emergence of such non-for-profit organisations engaging in the investigation of possible violations of the GDPR sends a strong signal that the GDPR\u2019s remedial mechanisms are growing in use. In addition, we note that the fact the legality of specific adtech practices is challenged represents a general trend in scrutiny over adtech.<\/p>\n<\/div>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

–\u00a0EDPB Handles First Dispute Resolution Case – The Irish DPC has triggered, for the first […]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72170","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72170","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72170"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72170\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72170"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72170"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}