{"id":72218,"date":"2021-02-25T21:55:01","date_gmt":"2021-02-25T20:55:01","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-41\/"},"modified":"2021-02-25T21:55:01","modified_gmt":"2021-02-25T20:55:01","slug":"data-protection-insider-issue-41","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-41\/","title":{"rendered":"Data Protection Insider, Issue 41"},"content":{"rendered":"
\n

\n

– <\/span>EDPS Releases Opinion on the Draft Digital Services Act <\/span><\/strong><\/a>–<\/a>
\n<\/strong><\/span><\/p>\n

\n

On 10th<\/sup> February, the EDPS issued his Opinion on the Commission\u2019s Proposal for a Digital Services Act (DSA). In short, the Proposal seeks to regulate a broad range of aspects related to online service providers, e.g. platforms. In his Opinion, the EDPS notes that the DSA Proposal seeks to complement the GDPR and the e-Privacy Directive. In that respect, his recommendations aim to ensure that their provisions do not get \u201cwatered down\u201d in the DSA.\u00a0 He then proceeds to make suggestion as to how to ensure greater compliance by the concerned platforms with data protection law by discussing numerous provisions of the Proposal from a data protection perspective. Three issues stand out in particular. First, the EDPS pays special attention to the need for transparency and comprehensibility towards the users, e.g. of targeted advertising or of removing \u201cillegal content\u201d and the rights of the concerned persons whose content has been removed. As to targeted advertising, the EDPS goes further in advocating the phasing out of targeted advertising \u201con the basis of pervasive tracking\u201d. Second, he supports the Commission in its desire to provide \u201cvetted researchers\u201d access to the online platforms for the purposes of scientific research \u201cfor the sole purpose of conducting research that contributes to the identification and understanding of systemic risks\u201d. In that respect he warns that \u201cdata\u00a0\u00a0 protection\u00a0\u00a0 should\u00a0\u00a0 not\u00a0\u00a0 be misappropriated\u00a0 as\u00a0 a\u00a0 means\u00a0 for\u00a0 powerful\u00a0 players\u00a0 to\u00a0 escape\u00a0 transparency\u00a0 and accountability.\u201d<\/a> Third, the EDPS emphasizes the need for coordinated supervision between the different regulatory authorities, including the independent supervisory authorities under the GDRP and other enforcement authorities. We note that it remains to be seen how the ambitious proposals put forward by the EDPS will be taken on board by the other stakeholders, e.g. the concerned industries. Especially the topic of targeted advertising has been very contentious in the past years and no consensus seems to have emerged as to the future of the industry.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

–\u00a0<\/span>EDPS Releases Opinion on the Draft Digital Markets Act –<\/span><\/span><\/strong><\/a><\/p>\n

\n

On 10th<\/sup> February, the EDPS also issued his Opinion on the Commission\u2019s Draft Digital Markets Act (DMA). The Proposal concerns the data protection, consumer protection and competition law measures that should be taken to ensure that \u201cgatekeepers\u201d, i.e. \u201clarge platforms with significant network effects\u201d in the digital market remain fair and contestable. Similarly to the DSA Opinion, the EDPS underlines the complementarity between the Proposal, the GDPR and the e-Privacy Directive when it comes to the data protection aspects, makes recommendations to ensure this complementarity and supports the cooperation between data protection, consumer and competition law supervisory authorities in regulating the said \u201cgatekeepers\u201d. Amongst the specific data protection comments he makes, the EDPS notes how competition and data protection law reinforce each other, e.g. by prohibiting the bundling of services and users\u2019 lock-in, and seeking to restore the informational imbalance between the gatekeepers, on one hand, and consumers and other business users, on the other hand. Furthermore, the EDPS supports enhancing data portability, including of personal data resulting from the profiling carried out by the large platforms, and ensuring the interoperability between platforms. This is to ensure fair and open markets in relation to both the consumers and other business operators who are dependent on the gatekeepers.<\/a> We note that the DMA Proposal and the EDPS comments seem to rely on and support the separation between \u201cpersonal data\u201d and \u201cnon-personal data\u201d. This approach is understandable as concerns the EDPS Opinion in the sense that the EDPS\u2019s mission is to ensure the protection of our personal data. However, in how far can this delineation realistically be sustained in the future bearing in mind the power which search engines and online platforms derive from the processing of anonymized and non-personal data?<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

–\u00a0<\/span>BEUC Submits a Complaint against TikTok <\/span>–<\/span><\/strong><\/a><\/p>\n

\n

On 16th<\/sup> February, BEUC filed a complaint with the European Commission and the Member State consumer and data protection authorities against TikTok, an app used by children, for a series of consumer and data protection law breaches.<\/a> On the consumer law side, the compliant concerns three main issues: (1) the Terms and Conditions, including the copyright provisions, as they are \u201cunclear, ambiguous and favour TikTok to the detriment of its users\u201d; (2) the \u201cunfair terms and misleading practices<\/strong>\u201d related to the exchange of coins and gifts on the platform and (3) the hidden advertising and inappropriate content to which TikTok might be exposing its users. On the data protection side, the compliant focuses on the lack of informed and comprehensible information for the target audience. Furthermore, the complaint refers to the potentially illegal consent policy of the platform; the doubts concerning the choice of the legal basis of the processing; its alleged breach of the core data protection principles, which could make it difficult for the users, amongst others, to exercise their data subject rights; the lack of appropriate privacy by design and security measures; and the alleged lack of specific measures to protect children. We note that the approach taken by BEUC demonstrates the interplay between consumer and data protection law, which is acknowledged also by the Commission and the EDPS in relation to the DMA and DSA Proposals discussed above.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

–\u00a0<\/span>Commission Adopts Draft UK Adequacy Decisions <\/span>–<\/span><\/strong><\/a><\/p>\n

\n

On 19th<\/sup> February, the European Commission published two draft adequacy decisions on the free flow of personal data from the EU to the UK. The first decision concerns transfers under the GDPR. The second decision concerns transfers under the LED. With the publication of the decisions, the Commission confirms that it believes the UK to offer an essentially equivalent standard of data protection to that offered in the EU. The publication begins the process for the final adoption of the decisions. This process \u201cinvolves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States.\u201d Currently, transfers to the UK, without additional safeguards, are legitimated by an interim agreement under the EU-UK Trade and Cooperation Agreement. This interim agreement remains valid for four months from 1st January 2021 \u2013 with the option of extension by two months \u2013 or until the adoption of adequacy agreements. The publication of draft agreements should come as no surprise. There is undoubtedly considerable political pressure on the Commission to facilitate seamless personal data exchange with the UK. It is highly likely, however, that the eventual adoption of the draft agreements will face opposition moving forward.<\/a> Sceptical opinions had already been issued as to the standard of UK data protection \u2013 in particular concerning the UK\u2019s security and law enforcement frameworks\u2013 during post-Brexit negotiations. Even if the decisions are eventually adopted, there is still the possibility of intervention by the CJEU. The Court has already demonstrated its willingness to disagree with Commission evaluations of third-country data protection standards \u2013 see, for example, the recent Schrems II<\/em> decision.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

–\u00a0<\/span><\/span>Council Agrees Position on ePrivacy<\/span>–<\/span><\/span><\/span><\/strong><\/a><\/p>\n

\n

On 10th<\/sup> February, the Council, under the Portuguese Presidency, agreed a new position on the proposal for an ePrivacy Regulation.<\/a> The agreement grants a mandate to the Portuguese Presidency to begin discussions with the European Parliament regarding the adoption of a new Regulation. The Council\u2019s press release highlights that: \u2018As a main rule, electronic communications data will be confidential. Any interference, including listening to, monitoring and processing of data by anyone other than the end-user will be prohibited, except when permitted by the ePrivacy Regulation.\u2019 The proposed text, however, does include several exceptions which would allow processing of communications data by third parties without an individual\u2019s consent. For example, the text foresees that: \u2018Permitted processing of electronic communications data without the consent of the user includes, for example, ensuring the integrity of communications services, checking for the presence of malware or viruses, or cases where the service provider is bound by EU or member states\u2019 law for the prosecution of criminal offences or prevention of threats to public security.\u2019 The text also foresees that: \u2018In certain cases, providers of electronic communications networks and services may process metadata for a purpose other than that for which it was collected, even when this is not based on the user\u2019s consent or certain provisions on legislative measures under EU or member state law. This processing for another purpose must be compatible with the initial purpose, and strong specific safeguards apply to it.\u2019 On the one hand, it is welcome news that ePrivacy negotiations are once again moving ahead. On the other hand, prior efforts to secure updates to ePrivacy law have met with considerable obstructions. It will be interesting to see how current efforts progress.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

–\u00a0<\/span><\/span>German Constitutional Court, Minimum Damage, and Data Protection Claims –<\/span><\/span><\/strong><\/a><\/p>\n

\n

The German Constitutional Court has highlighted that a lower court needed to have made a request to the CJEU concerning the position of EU law as to whether the GDPR foresees a relevance threshold for damage supporting compensation claims.<\/a> The facts of the case concern the receipt of a marketing e-mail, sent without legitimation. In relation to this mail, the plaintiff sued for compensation. The Amtsgericht Goslar, according to Article 82 of the GDPR, decided that no damage had been incurred which would warrant provision of compensation. In relation to this decision, the plaintiff complained to the Constitutional Court that the Amtsgericht had failed to fulfil its legal obligation to seek advice from the CJEU as to the legal situation concerning minimum levels of damage and compensation claims under the GDPR \u2013 as the situation is not explicitly clear from the GDPR itself nor from prior CJEU jurisprudence. The Constitutional Court followed this argumentation and upheld the plaintiff\u2019s complaint. The Constitutional Court\u2019s decision is interesting for several reasons. We highlight the decision here in DPI, however, owing to the high significance a ruling by the CJEU on the issue of a relevance threshold for compensation claims under the GDPR could have on the ability for data subjects to realise their rights under the GDPR.<\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

– EDPS Releases Opinion on the Draft Digital Services Act – On 10th February, the […]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72218","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72218","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72218"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72218\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72218"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72218"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72218"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}