{"id":72273,"date":"2021-09-02T22:24:44","date_gmt":"2021-09-02T20:24:44","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-53\/"},"modified":"2021-09-02T22:24:44","modified_gmt":"2021-09-02T20:24:44","slug":"data-protection-insider-issue-53","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-53\/","title":{"rendered":"Data Protection Insider, Issue 53"},"content":{"rendered":"
\n

– EDPB Adopts a Dispute Resolution Decision Concerning WhatsApp<\/a><\/strong>\u00a0–<\/a><\/em><\/strong><\/p>\n

\n

During the 53rd Plenary Session on 28th July, the EDPB adopted a binding dispute resolution decision pursuant to Article 65 GDPR. The decision concerns the draft decision adopted by the Irish Supervisory Authority (SA) following its inquiry into whether the transparency provisions of WhatsApp are compliant with Articles 12-14 GDPR<\/a>. The dispute resolution mechanism was triggered by the Irish SA \u2013 the lead SA as concerns WhatsApp Ireland Ltd. In December 2020, it shared its draft decision with the concerned supervisory authorities, which raised objections \u2018concerning, among others, the identified infringements of the GDPR, whether specific data at stake were to be considered personal data and the consequences thereof, and the appropriateness of the envisaged corrective measures.\u2019 The lead SA disagreed with the raised objections, as a result of which no consensus was reached, and referred the draft decision to the EDPB under the dispute resolution mechanism. The binding decision adopted by the EDPB \u2018addresses the merits of the objections found to be \u201crelevant and reasoned\u201d in line with the requirements of Art. 4 (24) GDPR.\u2019 The next steps are the EDPB notifying the concerned SAs of the final decision, the lead SA adopting its final decision \u2018on the basis of the EDPB decision\u2019 and communicating it to the controller within a month of the EDPB decision, and the EDPB publishing its decision after the controller has been notified.<\/span><\/p>\n<\/div>\n

 <\/p>\n

 <\/p>\n

\n

– <\/strong><\/a>EDPB Publishes Overview of DPA Resources and Enforcement Actions<\/a><\/strong>–<\/strong><\/a><\/p>\n

\n

On 5th August, the EDPB published their \u2018Overview on resources made available by Member States to the Data Protection Authorities and on enforcement actions by the Data Protection Authorities\u2019.<\/a> In terms of resources, the document covers: i) \u2018Financial resources\u2019; and ii) \u2018Human resources\u2019. In terms of enforcement actions, the document covers: i) \u2018Total number of enforcement cases (national and cross-border cases)\u2019; ii) \u2018Complaints\u2019; iii) \u2018Ex officio Investigations\u2019; iv) \u2018Data breach Notifications\u2019; v) \u2018Exercise of SA’s corrective powers on national and cross-border cases\u2019; vi) \u2018Judicial appeal of the cases with a fine\u2019; vii) \u2018Timeframe to decide\u2019; and viii) \u2018The procedural rights of a complainant and a controller\u2019. Questions concerning the capacity and actions of, and differences between, DPAs are key to understanding how data protection law functions in fact and as to where its deficiencies may lie. In this regard, the provision of statistics in the report is very welcome. The report contains a great range of comparative statistics concerning DPAs. These statistics deserve much closer scrutiny and more serious analysis than can be provided here. Nevertheless, even at first glance the figures make interesting reading. Consider, for example, the difference between the largest and smallest fines issued by DPAs in the last year: 50,000,000 Euros in France, compared to only 4,400 Euros in Lithuania\u2019.<\/span><\/p>\n<\/div>\n

 <\/p>\n

 <\/p>\n

\n

– <\/strong><\/a>EDPS Issues Opinion on Proposed Directive on Consumer Credits<\/strong><\/a>–<\/strong><\/a><\/p>\n

\n

On 26th August, the EDPS released their \u2018Opinion 11\/2021 on the Proposal for a Directive on consumer credits\u2019<\/a>. The Opinion concerns European Commission\u2019s \u2018Proposal for DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on consumer credits\u2019 \u2013 published on 30th June 2021. The EDPS makes positive general observations on the Proposal. In this regard, the EPDS, for example: \u2018welcomes the objective of the Proposal, which aims to strengthen consumer protection, taking into account the increased digitalisation in the consumer credit sector\u2019. Nevertheless, the EDPS also highlights a series of issues with the Proposal. On a general level, the EDPS highlights, for example: \u2018An additional serious concern, not sufficiently addressed in the current Proposal, exists in relation to what types and sources of data are used by lenders to assess consumers\u2019 creditworthiness and how artificial intelligence algorithms and interpret those data.\u2019 More specific comments are then made in relation to: i) \u2018Information and sources of information for the assessment of creditworthiness\u2019; ii) \u2018Procedures for creditworthiness assessment \u2019; iii) \u2018Consumer rights regarding creditworthiness assessment\u2019 iv) \u2018Consultation of relevant databases in the context of the creditworthiness assessment\u2019; v) \u2018Consumer rights having regard to the personalised offer (loan pricing)\u2019; vi) \u2018Advertising and marketing of credit agreements; advisory and other services\u2019; vii) \u2018Relationship to existing Union legislation on personal data protection\u2019; and viii) \u2018Interaction with the proposed Artificial Intelligence Act\u2019.<\/p>\n<\/div>\n

 <\/p>\n

 <\/p>\n

\n

– <\/strong><\/a>EDPS Publishes Opinion on the Proposal for a Regulation on the Schengen Evaluations<\/a><\/strong>–<\/strong><\/a><\/p>\n

\n

On 27th July, the EDPS released Opinion 10\/2021 on the Proposal for a Council Regulation concerning Schengen evaluations<\/a>. The Proposal seeks to replace and improve the existing Regulation on monitoring and evaluating the application of the Schengen acquis<\/em>. In its Opinion the EDPS welcomes in particular three elements of the Proposal: (i) the special attention to the compliance with fundamental rights, including data protection; (ii) the enhanced cooperation with the relevant Union institutions, bodies and agencies, including with the EDPS, whose staff have participated as observers in the previous evaluations, and the clarity on the role of the observers; and (iii) the improved transparency provisions on the results of the evaluation. The Opinion raises two major concerns, in view of which it makes the following two recommendations: (i) the need for clarifying the scope of the evaluations by providing a non-exhaustive list of policy areas, including explicitly data protection and (ii) the need for clarifying the proposed scope of the evaluations of the Union bodies and agencies as long as they assist the Member States in the implementation of the different Schengen policies. Since the EDPS is responsible for supervising the compliance of these agencies with the applicable data protection provisions, the EDPS recommends clarifying how the proposed supervision will work in practice to avoid duplication, what competence the involved actors will have and how to guarantee the independence of the EDPS in these evaluations.<\/span><\/p>\n<\/div>\n

 <\/p>\n

 <\/p>\n

\n

– <\/strong>EDPB on Migrant Surveillance in Italy<\/strong><\/a>–<\/strong><\/a><\/p>\n

\n

On 10th August, the EDPB responded by letter to MEP Ms in\u2019t Veld about the concerns raised by the MEP about the deployment of Automatic Image Recognition System amongst migrants in Italy<\/a>. According to the letter, the system is deployed by the police authorities to\u00a0monitor the disembarkation operations in Italy and could also be used \u2018in general to operate in support of investigative activities.\u2019 The EDPB noted the negative Opinion issued by the Italian Data Protection Authority about the technology. As to the contribution by the EDPB to the work on the issue of facial recognition, the EDPB expressed that they consider biometric surveillance a very sensitive area in need of regulation in view of the risks it poses to different fundamental rights, including data protection. They recall the critical stance they took on biometric surveillance in the law enforcement area in the joint EDPS-EDPB Opinion on the Proposed AI Act, that the EDPB are drafting Guidelines on the deployment of facial recognition technologies in the law enforcement field and that they will continue monitoring the emergence and use of technologies, \u2018such as facial recognition, and their potential impact on the fundamental rights and daily lives of individuals, and will help to shape Europe\u2019s digital future in line with our common values and rules, while continuing to work with other regulators and policymakers to promote regulatory coherence and enhanced protection for individuals.\u2019<\/p>\n<\/div>\n

\n

 <\/p>\n

 <\/p>\n

\n

– <\/strong><\/a>UK GDPR Certification Scheme Conditions Approved by ICO<\/a><\/strong>–<\/strong><\/a><\/p>\n

\n

On 19th August 2021, the Information Commissioner\u2019s Office (ICO) \u2013 the UK\u2019s DPA \u2013 confirmed approval of the first set of certification scheme criteria under the UK GDPR<\/a>. Under the UK law \u2013 comparably to the GDPR itself: \u2018Certification works by providing a framework for organisations to follow, which offers clients and customers assurance that they are adhering to strong standards.\u2019 According to the ICO: \u2018ADISA, experts in IT asset disposal services, have developed a standard that ensures personal data has been handled appropriately when IT equipment is re-used or destroyed\u2026.[whilst] Age Check Certification Scheme (ACCS) have developed criteria for two schemes, the first relating to age assurance and the second looking at children\u2019s online privacy.\u2019 Certification \u2013 and comparable mechanisms \u2013 constitute means by which the abstract principles of data protection law can be translated into more concrete conditions, in specific circumstances. Accordingly, they hold much promise as a bridge between the text of the law and the realisation of the law in fact. In this regard, the adoption of the schemes should be met with interest both as regards their content \u2013 they deal with substantively pertinent and important issues \u2013 as well as regards the procedures by which they should function and the procedures by which they were adopted.<\/p>\n<\/div>\n

 <\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

– EDPB Adopts a Dispute Resolution Decision Concerning WhatsApp\u00a0– During the 53rd Plenary Session on […]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72273","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72273","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72273"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72273\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72273"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72273"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}