{"id":72242,"date":"2021-05-06T22:08:47","date_gmt":"2021-05-06T20:08:47","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-46\/"},"modified":"2021-05-06T22:08:47","modified_gmt":"2021-05-06T20:08:47","slug":"data-protection-insider-issue-46","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-46\/","title":{"rendered":"Data Protection Insider, Issue 46"},"content":{"rendered":"
\n

– EDPB Releases Guidelines on Dispute Resolution by the Board<\/span> –<\/span><\/strong><\/a>
\n<\/strong><\/span><\/p>\n

The EDPB has published guidelines \u2018on the application of Article 65(1)(a) GDPR\u2019 \u2013 the Article dealing with \u2018Dispute resolution by the Board\u2019<\/a>. The Board locate the elaboration of substance in the document within the frame provided by the CFREU \u2013 in particular the right to good administration under Article 41 \u2013 the GDPR, and the EDPB Rules of Procedure. In terms of substance, the Guidelines deal with: i) \u2018[the] Main stages of the procedure\u2019; \u2018[the] Competence of the EDPB\u2019 \u2013 including a discussion on the forms of issues on which the EDPB might issue a decision; iii) \u2018The Right to be heard\u2019 \u2013 including an interesting discussion on the right of impacted persons to be heard in a procedure ; iv) \u2018Access to the file\u2019; v) \u2018The duty to give reasons\u2019 \u2013 including a discussion of the need for the EDPB to provide the reasoning underlying its decision; and vi) \u2018Judicial remedies\u2019 \u2013 including discussions of the possibilities for various parties to seek judicial review of a decision. This is a set of Guidelines which deserves attention. The EDPB and the national DPAs are integral cogs in the development of EU data protection law. Accordingly, the rules of process by which such development occurs are themselves important for the procedural and substantive content of data protection law.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

EDPB Releases Guidelines on Targeting of Social Media Users –<\/a><\/span><\/strong><\/p>\n

On 13th April the EDPB released the second version of their guidelines on targeting of social media users \u2013 after the public consultation of the first version of these guidelines. The purpose of the guidelines is to \u2018offer guidance concerning the targeting of social media users, in particular as regards the responsibilities of targeters and social media providers.<\/a>\u2019 The guidelines focus on the following four themes in relation to observed data, inferred data and data provided directly by the data subject: i) the potential risks for the rights and freedoms of social media users; ii) the \u2018main actors\u2019 in the social media targeting environment and their respective roles and responsibilities under the GDPR; iii) the application of a selected number of GDPR requirements, namely lawfulness, transparency including the right of access, carrying out a DPIA, and processing special categories of personal data; and iv) arrangements between social media providers and targeters which regulate (the distribution of) their joint controllership responsibilities under Article 26 GDPR. We note that, in view of the complex network of entities which process personal data in the framework of social media, the Guidelines offer useful guidance on the distribution of responsibilities and basic data protection compliance.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– <\/span>EDPB Issues Statement on International Data Transfers –<\/span><\/span><\/strong><\/a><\/p>\n

The EDPB has issued a statement on international data transfers concerning the \u2018exchange of <\/span>personal data between public authorities under existing international agreements in different areas\u2019. The EDPB has issued the statement in response to questions the Board and national DPAs have been receiving on the issue. In the statement, the Board highlights the applicability of Article 96 GDPR and Article 61 LED, and observes in this regard that \u2018all<\/a><\/span><\/p>\n

international agreements involving the transfer of personal data to third countries or international organisations which were concluded by the EU Member States prior to 24 May 2016 or 6 May 2016 respectively, and which comply with Union law as applicable prior to that date, shall remain in force until amended, replaced or revoked.\u2019<\/a> The Board go on, however, to encourage: \u2018Member States to assess and, where necessary, review their international agreements that involve international transfers of personal data\u2026in order to determine whether, while pursuing the important public interests covered by the agreements, further alignment with current Union legislation and case law on data protection, as well as EDPB guidance might be needed.\u2019 The statement itself is short and contains few surprises. The statement does raise the interesting question, however, of the degree to which Articles such as 96 GDPR and 61 LED permit agreements which diverge from developments in EU law, to simply remain in place<\/span><\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– <\/span><\/a>EDPS Welcomes the Proposed AI Regulation with Reservation<\/a><\/span>–<\/span><\/a><\/span><\/strong><\/p>\n

On 23rd April the EDPS issued a press release following the official publication of the EU proposal for a Regulation on AI \u2013 the first proposal of its kind in the world. He welcomed the horizontal approach and broad scope adopted by the Commission. He was also positive about the risk-based approach, namely the focus on high-risk AI applications.However, the EDPS was concerned that the proposal does not go as far as put a moratorium on the use of remote biometric identification systems \u2013 such as facial recognition systems \u2013 in public spaces<\/a>. The EDPS commits to continuing to advocate for a strict approach to biometric identification systems, irrespective of the purposes for, and context in which, they are used \u2013 i.e. law enforcement, administrative or commercial. The EDPS is now working on an in-depth analysis of the proposal, which we expect to result in an Opinion. The focus of the analysis will be, in particular, on \u2018setting precise boundaries for those tools and systems which may present risks for the fundamental rights to data protection and privacy.\u2019 We are looking forward to the upcoming Opinion and the guidance provided in it to legislators.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– <\/span><\/span>AEPD and EDPS Release Paper on Anonymisation –<\/span><\/span><\/span><\/strong><\/a><\/p>\n

The AEPD \u2013 the Spanish DPA \u2013 and the EDPS have released a paper titled: \u201810<\/span><\/a><\/p>\n

Misunderstandings Related to Anonymisation\u2019<\/a>. The misunderstandings discussed are the following: i) \u2018Pseudonymisation is the same as anonymisation\u2019; ii) \u2018Encryption is anonymisation\u2019; iii) \u2018Anonymisation of data is always possible\u2019; iv) \u2018Anonymisation is forever\u2019; v) \u2018Anonymisation always reduces the probability of re-identification of a dataset to zero\u2019; vi) \u2018Anonymisation is a binary concept that cannot be measured\u2019; vii) \u2018Anonymisation can be fully automated\u2019; viii) \u2018Anonymisation makes the data useless\u2019; ix) \u2018Following an <\/span>anonymisation process that others used successfully will lead our organisation to equivalent results\u2019; x) \u2018There is no risk and no interest in finding out to whom this data refers to\u2019. The paper is relatively short, as are the discussions within. In this regard, the paper is not likely to tell data protection experts anything they did not already know. Nor is the paper likely to throw new light on, or open up new directions in, the discussion of the concept of anonymity. <\/span>Given the practical confusion the concept has, and continues to, cause, however, the paper should still be seen as welcome.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– <\/span><\/span><\/strong><\/a>Derogations from e-Privacy to Fight Child Sexual Abuse Material Almost Agreed<\/a><\/strong>\u00a0<\/span><\/strong>–<\/span><\/strong><\/a><\/span><\/p>\n

EURACTIV reported last week that the Parliament and the Council are close to agreeing on a proposal for a Regulation for fighting child sexual abuse online by way of a derogation from the e-Privacy Directive (which might become an e-Privacy Regulation). The proposed Regulation will allow online providers to monitor the content of online communications in order to identify sexual abuse material, which is a clear derogation from the principle of confidentiality of communications which sits at the core of e-Privacy<\/a>. Such monitoring actions are supposed to be temporary. There are reportedly two main points of disagreement between the Council and the Parliament. The first one concerns accuracy. The Parliament is concerned that a lot of sex-related content which does not relate to child sexual abuse will be erroneously flagged as such, which will unjustifiably breach the confidentiality of adults. The second one concerns the proposed anti-grooming measures. The Parliament wants to see these approved ex-ante by data protection authorities, a measure which is likely to be watered down in the final agreement. For those who wish to have a closer look at the ongoing negotiations, the EURACTIV story contains a link to the comparative table with the positions of the law-makers and the latest compromise.<\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

– EDPB Releases Guidelines on Dispute Resolution by the Board – The EDPB has published […]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72242","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72242","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72242"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72242\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72242"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72242"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}