{"id":72205,"date":"2021-01-14T21:48:00","date_gmt":"2021-01-14T20:48:00","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-38\/"},"modified":"2021-01-14T21:48:00","modified_gmt":"2021-01-14T20:48:00","slug":"data-protection-insider-issue-38","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-38\/","title":{"rendered":"Data Protection Insider, Issue 38"},"content":{"rendered":"<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/edpb.europa.eu\/news\/news\/2021\/edpb-adopted-documents-42nd-43rd-plenary_en\" target=\"_blank\" rel=\"noopener\"><strong><span style=\"font-size: 14px; line-height: 21px;\"><span style=\"line-height: 18px;\">&#8211;\u00a0<\/span>EDPB Adopts Documents During 42nd and 43rd Plenary Sessions <\/span><span style=\"font-size: 14px; line-height: 21px;\">&#8211;<\/span><\/strong><\/a><\/p>\n<p style=\"line-height: 18px; word-break: break-word;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/edpb.europa.eu\/news\/news\/2021\/edpb-adopted-documents-42nd-43rd-plenary_en\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\">The EDPB held its 42<sup>nd<\/sup> and 43<sup>rd<\/sup> Plenary Sessions at the end of 2020. During these two sessions the EDPB adopted the following documents:<\/span><\/a><\/p>\n<ul>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">\u2018Statement on the future ePrivacy Regulation\u2019;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">\u2018EDPB Strategy 2021-2023\u2019;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">\u2018EDPB Document on Terms of Reference of the EDPB Support Pool of Experts\u2019;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">\u2018Statement on the end of the Brexit transition period\u2019;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">\u2018Information note on data transfers under the GDPR after the Brexit transition period\u2019;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">\u2018Guidelines on restrictions of data subject rights under Article 23 GDPR &#8211; version for public consultation\u2019;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">\u2018Guidelines on the interplay of the Second Payment Services Directive (PSD2) and the GDPR (following public consultation)\u2019;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">\u2018Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016\/679 for transfers of personal data between EEA and non-EEA public authorities and bodies (following public consultation)\u2019;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">\u2018Statement on the protection of personal data processed in relation with the prevention of money laundering and terrorist financing\u2019;<\/span><\/li>\n<li style=\"line-height: 18px;\"><span style=\"font-size: 14px; line-height: 21px;\">\u2018Article 64 Opinion on the draft decision regarding Equinix\u2019s Controller BCRs\u2019.<\/span><\/li>\n<\/ul>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">The documents are already available for consultation on the EDPB website.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/hudoc.echr.coe.int\/eng#{%22itemid%22:[%22001-206512%22]}\" target=\"_blank\" rel=\"noopener\"><span style=\"font-size: 14px; line-height: 21px;\"><strong>&#8211;\u00a0<\/strong><\/span><span style=\"font-size: 14px; line-height: 21px;\"><strong><em>Mo\u010du\u013cskis v Latvia<\/em>: Seizing a Lawyer\u2019s Tablet in breach of Article 8 ECHR &#8211;<\/strong><\/span><\/a><\/p>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">On 17<sup>th<\/sup> December 2020 the ECtHR ruled in the case of <em>Mo\u010du\u013cskis v Latvia<\/em> on the question of the legitimacy of searching and seizing a lawyer\u2019s tablet in the course of criminal proceedings against the lawyer and one of his clients. According to the facts of the case, the applicant is a lawyer, defending, amongst others, a person suspected of being involved in trafficking in human beings. After taking over the case, and while the client was being held in custody, e-mail accounts containing important information for the investigation of the crime were deleted and blocked from an IP address identified to belong to the applicant. Thus, the applicant became a suspect in the crime of concealing information relevant to a serious crime. Following this, the police, acting upon an arrest warrant, seized and searched the lawyer\u2019s tablet in order to look for evidence concerning both crimes. The applicant complained that the seizure of his tablet, which contained privileged information, was disproportionate and breached Article 8 ECHR. The Court ruled that the measure \u2013 i.e. the search warrant \u2013 was compliant with domestic law and pursued a legitimate aim. <a style=\"text-decoration: underline;\" href=\"https:\/\/hudoc.echr.coe.int\/eng#{%22itemid%22:[%22001-206512%22]}\" target=\"_blank\" rel=\"noopener\">The Court ruled, however, that the measure was \u201cnot necessary in a democratic society\u201d. Whereas the search warrant was based on reasonable doubt and its scope was sufficiently clear, its execution was not accompanied by \u201cadequate and effective safeguards against abuse\u201d.<\/a> The Court emphasized that the search was not accompanied by safeguards against accessing and copying information protected by the professional secrecy of the lawyer-client relationship \u2013 e.g. by having an independent observer who could identify documents protected by professional secrecy or by prohibiting the removal of content protected by such secrecy. The Court noted that \u201c(f)urthermore, there was no possibility of having an investigating judge decide whether or not particular material could be used by the investigation if the applicant had objected to such use on the grounds of professional confidentiality\u201d In addition, the tablet was ordered to be retained until the criminal proceedings were concluded and thus the tablet was not returned to the lawyer, disregarding both the professional secrecy requirements and questions as to whether all the information stored on it was necessary for the proceedings in question. We note that, whereas the decision in the case is straightforward and unsurprising, it is positive that the Court is adhering to and developing the case law concerning the need, in search and seizure operations, to distinguish information relevant for criminal investigations while also protecting professional secrecy requirements \u2013 a thin line indeed when a lawyer is both a lawyer and a suspect at the same time.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/www.bloomberg.com\/news\/articles\/2020-12-24\/temporary-brexit-terms-will-keep-eu-u-k-data-flowing\" target=\"_blank\" rel=\"noopener\"><strong><span style=\"font-size: 14px; line-height: 21px;\"><span style=\"line-height: 18px;\">&#8211;\u00a0<\/span>Brexit Deal and International Data Transfers <\/span><span style=\"font-size: 14px; line-height: 21px;\">&#8211;<\/span><\/strong><\/a><\/p>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">The EU and the UK signed a trade and cooperation agreement \u2013 the Brexit deal \u2013 on 30<sup>th<\/sup> December 2020. The agreement ends the transition period between the two jurisdictions, which had been put in place following the UK\u2019s departure from the EU and during which existing rules on the EU and UK\u2019s relationship remained applicable. Technically, from the perspective of EU data protection law, the UK is now a third country for which no adequacy decision exists. The EU continue to work on an adequacy agreement to facilitate transfers between the EU and the UK. <a style=\"text-decoration: underline;\" href=\"https:\/\/www.bloomberg.com\/news\/articles\/2020-12-24\/temporary-brexit-terms-will-keep-eu-u-k-data-flowing\" target=\"_blank\" rel=\"noopener\">In order to mitigate the potentially significant consequences of the fact that the UK is now a third country with no adequacy decision, however, the trade and cooperation agreement permits the ongoing free exchange of personal data between the two jurisdictions \u2013 as if the UK were adequate \u2013 following the end of the transition period: the EU-UK data bridge.<\/a> The bridge will last for up to six months within which time a decision on UK adequacy should be made. During the period of operation of the bridge, the UK cannot change its data protection laws \u2013 i.e. the GDPR and the UK DPA 2018 will continue to apply. Whether the UK will eventually receive adequate status remains \u2013 as discussed in previous issues of Data Protection Insider \u2013 uncertain.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; color: inherit; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/ec.europa.eu\/home-affairs\/sites\/homeaffairs\/files\/pdf\/09122020_commission_proposal_regulation_european_parliament_council_european_agency_law_enforcement_cooperation_replacing_regulation_2016-794_po-2020-8998_com-2020_796_en.pdf\" target=\"_blank\" rel=\"noopener\"><strong><span style=\"font-size: 14px; line-height: 21px;\"><span style=\"line-height: 18px;\">&#8211;\u00a0<\/span>Europol to Get a Stronger Mandate and New Data Protection Regime <\/span><span style=\"font-size: 14px; line-height: 21px;\">&#8211;<\/span><\/strong><\/a><\/p>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/ec.europa.eu\/home-affairs\/sites\/homeaffairs\/files\/pdf\/09122020_commission_proposal_regulation_european_parliament_council_european_agency_law_enforcement_cooperation_replacing_regulation_2016-794_po-2020-8998_com-2020_796_en.pdf\" target=\"_blank\" rel=\"noopener\">On 9<sup>th<\/sup> December 2020 the European Commission tabled two new legislative proposals for amending the regulatory framework for Europol.<\/a> The proposals pursue the following 9 objectives: (1) allowing Europol to enter alerts in the Schengen Information System with respect to Third-Country Nationals suspected of being involved in a crime for which Europol is competent; (2) enabling Europol to cooperate with private parties, e.g. electronic communication service providers; (3) helping national law enforcement authorities analyse big data; (4) boosting up Europol\u2019s research and innovation activities; (5) allowing Europol to cooperate with Third Countries on a case-by-case basis in specific situations within Europol\u2019s mandate; (6) vesting Europol with the power to request national law enforcement authorities to open criminal investigations where the crime concerns Union policies, even where it does not have a cross-border dimension; (7) strengthening its cooperation with the European Public Prosecutor\u2019s Office; (8) strengthening Europol\u2019s parliamentary oversight and accountability; and (9) strengthening its data protection regime by aligning it with the provisions of Regulation 2018\/1725 on data protection for the EU institutions, agencies and bodies. We note that the proposed amendments, if they go through in their proposed shape, would imply broad changes to Europol\u2019s powers. The proposals will strengthen Europol\u2019s executive powers and will turn it into a more significant information hub \u2013 further blurring the lines between Europol and the national law enforcement authorities. In that sense, it is positive that Europol\u2019s data protection regime will be bolstered by aligning it with the requirements of the law enforcement limb of Regulation 2018\/1725 \u2013 a newer instrument aligned with the GDPR and Directive 2016\/680. Questions remain, however, as to whether this will sufficiently guarantee the adequate protection of personal data where blurred responsibilities may lead to a blurred applicability of Regulation 2018\/1725 and Directive 2016\/680 \u2013 concerning data protection standards applicable to the national law enforcement authorities. This question is especially poignant in relation to instances in which Europol performs big data analysis of data collected and further processed by national law enforcement authorities.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/data.consilium.europa.eu\/doc\/document\/ST-5008-2021-INIT\/en\/pdf\" target=\"_blank\" rel=\"noopener\"><strong><span style=\"font-size: 14px; line-height: 21px;\"><span style=\"line-height: 18px;\"><span style=\"color: #123256; line-height: 18px;\">&#8211;\u00a0<\/span><\/span>New E-Privacy Proposal <span style=\"line-height: 18px;\"><span style=\"color: #123256; line-height: 18px;\">&#8211;<\/span><\/span><\/span><\/strong><\/a><\/p>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\"><a style=\"text-decoration: underline;\" href=\"https:\/\/data.consilium.europa.eu\/doc\/document\/ST-5008-2021-INIT\/en\/pdf\" target=\"_blank\" rel=\"noopener\">The Portuguese Presidency of the Council has circulated a new proposed version of the E-Privacy Regulation.<\/a> In terms of the novelty of the proposal, three points stand out. First, in terms of structure, the Portuguese Presidency is seeking to simplify the text. Second, in terms of the function of E-Privacy legislation within a broader data protection legal ecosystem, the Portuguese Presidency is seeking to further align the E-Privacy Regulation with the GDPR. Third, in terms of substantive content, the Portuguese Presidency is seeking to make changes to the ways and instances in which communications metadata might be legitimately processed by data controllers: \u2018The most important amendment is the possibility to process electronic communications metadata (Article 6c and Recital 17aa) and to use processing and storage capabilities of terminal equipment and the collection of information from end-user\u2019s terminal (Article 8 (1) (g)) for further compatible processing, fully aligned with Articles 5 (1) (b) and 6 (4) of GDPR (further compatible processing).\u2019 It seems likely that this final, substantive, change, will receive push-back from those concerned about rights implications of increased access to communications metadata. In principle, progress on E-Privacy reform \u2013 provided this progress takes normatively reasonable shape \u2013 is welcome. Whether this new proposed version of the Regulation, however, will fare better than previous versions remains to be seen.<\/span><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div class=\"txtTinyMce-wrapper\" style=\"font-family: inherit; font-size: 12px; line-height: 18px; text-align: justify;\">\n<p style=\"text-align: justify; margin: 0px; direction: ltr; line-height: 18px; font-size: 12px; word-break: break-word;\"><a style=\"text-decoration: none;\" href=\"https:\/\/edpb.europa.eu\/our-work-tools\/consistency-findings\/register-for-decisions_en\" target=\"_blank\" rel=\"noopener\"><strong><span style=\"font-size: 14px; line-height: 21px;\"><span style=\"line-height: 18px;\"><span style=\"color: #123256; line-height: 18px;\">&#8211;\u00a0<\/span><\/span>Twitter Decision following Article 65 Procedure <\/span><span style=\"font-size: 14px; line-height: 21px;\">&#8211;<\/span><\/strong><\/a><\/p>\n<p style=\"line-height: 18px; word-break: break-word;\"><span style=\"font-size: 14px; line-height: 21px;\">In December 2020, the Irish DPC finally published its decision to fine Twitter for breaches of the GDPR. The fine relates to an investigation into Twitter\u2019s compliance with the Article 33(1) obligation to inform a DPA following a data breach and with the Article 33(5) obligation to document a data breach. The fine has been set at 450,000 EUR. The fine is large and has received some attention in this regard. <a style=\"text-decoration: underline;\" href=\"https:\/\/edpb.europa.eu\/our-work-tools\/consistency-findings\/register-for-decisions_en\" target=\"_blank\" rel=\"noopener\">The fine has perhaps received more attention, however, as the result of the first binding decision based on the GDPR\u2019s Article 65 procedure.<\/a> As the infringement in question related to more than one jurisdiction, the initial decision of the Irish DPA was subject to objection by other DPAs. Several other DPAs took advantage of this opportunity and, accordingly, triggered the Article 65 process for dispute resolution by the European Data Protection Board. The Board published their decision on 9th November 2020, which was then adopted by the Irish DPC in its final published decision on the case. In the Board\u2019s decision, whilst the majority of the other DPA\u2019 objections were dismissed, objections concerning the insufficiently dissuasive nature of the original fine were upheld and the Irish DPC was required to increase \u2018the level of the fine in order to ensure it fulfils its purpose as a corrective measure and meets the requirements of effectiveness, dissuasiveness and proportionality established by Article 83(1) GDPR and taking into account the criteria of Article 83(2) GDPR\u2019.<\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>&#8211;\u00a0EDPB Adopts Documents During 42nd and 43rd Plenary Sessions &#8211; The EDPB held its 42nd [&hellip;]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72205","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72205","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72205"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72205\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72205"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72205"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}