{"id":72307,"date":"2022-01-18T22:37:21","date_gmt":"2022-01-18T21:37:21","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-61\/"},"modified":"2022-01-18T22:37:21","modified_gmt":"2022-01-18T21:37:21","slug":"data-protection-insider-issue-61","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-61\/","title":{"rendered":"Data Protection Insider, Issue 61"},"content":{"rendered":"
\n

– \u00a0<\/strong><\/a><\/em><\/span>Another Surveillance Law \u2018Bites the Dust\u2019: the ECtHR on the Bulgarian Surveillance Law in Ekimdzhiev and Others v Bulgaria <\/strong><\/em><\/span>–\u00a0<\/strong><\/a><\/em><\/span><\/p>\n

\n

On 11th January 2022, the ECtHR ruled that both the Bulgarian law on secret surveillance and the Bulgarian rules on retention and accessing of electronic communications data for law enforcement and national security purposes, as they currently stand, breach Article 8 ECHR<\/a>.<\/u> The Court first confirmed that the mere existence of the secret surveillance laws and the rules on the processing of the data by telecommunication providers and law enforcement authorities constitute an interference with Article 8 ECHR. It also noted that the contested laws had a wide scope of application and there were no safeguards to preclude their application to potentially anyone in Bulgaria. Hence, it decided to examine the applicable rules in abstracto<\/em>. When examining the complaints, the Court noted that the actions in question had a legal basis in Bulgarian law and proceeded to examine the quality of the laws. It found the applicable laws insufficient on several grounds, the majority of which were similar for the secret surveillance laws and the rules on the processing of electronic communications data: (1) not all rules on data processing and destruction have been made public; (2) the authorising authorities are not able to ensure that the measures are implemented only when necessary in a democratic society; (3) the rules on the storage and destruction of the data were not clear enough; (4) the oversight authorities lacked the powers to effectively supervise the operation of the measures; (5) the notification arrangements were too narrow, e.g. providing for notifications only where the data had been processed illegally; and (6) no effective remedies were available. As a result, the Court ruled that the two examined interferences did not satisfy the \u2018quality of the law\u2019 requirement and that the law could not ensure that they were \u2018necessary in a democratic society\u2019, because they did not provide enough safeguards against abuse. We note that the ruling largely confirms the existing jurisprudence on secret surveillance measures, e.g. in Russia, Sweden and the United Kingdom.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– EDPS Orders Europol to Delete Data –<\/strong><\/em><\/span><\/p>\n

\n

On 21st December 2021, the EDPS adopted its first-of-a-kind order to Europol, namely ordering it to delete the personal data of persons who are not involved in a criminal investigation falling within the Europol mandate.<\/a><\/u> As to the background of the case, according to the Europol Regulation, Europol may process the personal data only of certain persons, including those who are classified as suspects, victims or witnesses \u2013 which is essentially a data minimisation provision. However, in 2020, the EDPS noted in an admonishment letter sent to Europol that Europol had been processing Big Data, which, due to \u2018their characteristics and notably their size\u2019, have not been classified and thus could also include the personal data of individuals who are not related to a criminal investigation. In other words, the EDPS considers this to be a breach of the Europol Regulation. The EDPS observed that since the 2020 admonishment letter, Europol has failed to take satisfactory measures to delete the data lacking data subject classification. For these reasons, the EDPS has now ordered Europol to classify the non-classified data within six months of the decision and to delete the data which do not fall within any of the categories prescribed by the Europol Regulation. Data received after the decision must be deleted within six months of being found to be held illegitimately. Data already held by Europol must be deleted within twelve months of being found to be held illegitimately. In the meantime, the non-classified data may not be processed for any other purpose but classification, and Europol must update the EDPS every three months of the progress achieved in relation to data categorisation and erasure. The EDPS decision may be challenged in front of the CJEU. We note that it remains to be seen how the principle of data minimisation could remain a safeguard in relation to Big Data in view of the ongoing update of the Europol Regulation, as proposed in 2020, one of whose purposes is to allow \u2018Europol to effectively support Member States and their investigations with the analysis of large and complex datasets, addressing the big data challenge for law enforcement authorities\u2019.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– <\/a>EDPB Publishes Contribution to Law Enforcement Directive Evaluation –<\/a><\/strong><\/em><\/p>\n

\n

On 14th January, the EDPB adopted its \u2018Contribution of the EDPB to the European Commission\u2019s evaluation of the Data Protection Law Enforcement Directive (LED) under Article 62\u2019.<\/u><\/a>The contribution begins by offering a series of general \u2018policy messages\u2019. These include the top-level observation: \u2018Taking into account that the past four years have been characterised primarily by the national processes to transpose the LED and that case law is only starting to be developed the EDPB considers that, in practice, it is a relatively early stage for a comprehensive evaluation of the implementation and application of the provisions of the Directive as transposed. Moreover, because of the recent implementation of the LED, on some parts of the LED, there is only limited experience and empirical data, differing across Member States. Therefore the EDPB recalls that it would be too early to draw conclusions on the effectiveness of this legal instrument and to even consider any revision of the LED at this stage.\u2019 Among the policy messages, the EDPB also makes observations as to areas in need of work, such as, for example: \u2018the EDPB sees the great need to provide further guidance in order to ensure the use of emerging new technologies by law enforcement authorities be in compliance with the Charter of Fundamental Rights and the LED.\u2019 The contribution then proceeds to briefly describe the EDPB\u2019s \u2018Work According to the Tasks Listed Under Article 51 LED\u2019 \u2013 concerning the \u2018Tasks of the Board\u2019. The main body of the report, however, consists of a summary of \u2018contributions and replies by [Member State Supervisory Authorities] to each of the questions asked via [a] Questionnaire on the Evaluation of the LED sent by the European Commission\u2019. This summary provides much useful information on the activity of Supervisory Authorities in relation to the LED and is well worth a look for anyone interested in data protection in the law enforcement context.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– <\/a><\/span><\/em>EDPB Publishes December Plenary Meeting Documents &nbsp;<\/a>–<\/a><\/span><\/em><\/strong><\/span><\/p>\n

\n

The EDPB has published the documents which they adopted during their plenary in December 2021:<\/span><\/u><\/a><\/p>\n

\n

\u2018EDPB contribution to the evaluation of the Law Enforcement Directive\u2019;<\/span><\/p>\n

\u2018EDPB response to MEP Istv\u00e1n Ujhelyi on the alleged use of the Pegasus spyware\u2019;<\/span><\/p>\n

\u2018Guidelines on examples regarding data breach notifications (following public consultation)\u2019;<\/span><\/p>\n

\u2018Opinion 39\/2021 on whether Article 58(2)(g) GDPR could serve as a legal basis for a supervisory authority to order ex officio the erasure of personal data, in a situation where such request was not submitted by the data subject\u2019.<\/span><\/p>\n

\n

The January plenary meeting is taking place on 18th January 2022 and its detailed and ambitious agenda is already available on the EDPB website.<\/span><\/p>\n<\/div>\n

 <\/p>\n

 <\/p>\n

\n

– <\/strong><\/a><\/em>CNIL Levies Massive Fines for Cookies <\/strong>–<\/strong><\/a><\/em><\/span><\/p>\n

Politico reports that the CNIL has announced it will levy massive fines on Google and Facebook in relation to their use of Cookies<\/u>. <\/a>The CNIL has announced \u2018fines of \u20ac150 million for Google and \u20ac60 million for Facebook\u2019. Specifically, the fines have been announced in relation to the companies\u2019 failures \u2018to allow French users to easily refuse cookies\u2019. The fines relate to the CNIL\u2019s enforcement powers under the e-Privacy Directive. Under the GDPR, the CNIL would not have constituted the main supervisory authority for the companies \u2013 this would have been the Irish DPC \u2013 and therefore would not have been able to act in such a forceful manner.<\/span><\/p>\n<\/div>\n

 <\/p>\n

 <\/p>\n

\n

– <\/a><\/span>Meta Subject of Massive Class Action on Exploitation of Consumer Data –<\/a><\/span><\/span><\/strong><\/p>\n

\n

Euractiv reports that Meta \u2013 Facebook\u2019s parent company \u2013 is to be the subject of a massive class action suit.<\/u> <\/a>The suit will be brought on behalf of \u201844 million UK Facebook users\u2019 in relation to Facebook\u2019s activities with users\u2019 personal data in the period 2014-2019. Euractiv reports that the \u2018case will fall under the UK\u2019s Competition Act, and\u2026lawyers [will] seek compensation of at least \u00a32.3 billion, plus interest\u2019. More specifically, the suit claims that, in this period, all UK Facebook users paid \u2018an \u201cunfair price\u201d for using the platform\u2019 and therefore deserve compensation. The argument builds around the idea that Facebook occupies a dominant position in the market and that it has used this position to \u2018exploit the personal data of British users\u2019. Euractiv reports that \u2018the suit will soon be filed before the UK\u2019s Competition Appeal Tribunal, which will consider whether to allow the case to proceed to trial.\u2019 How the suit is received and will progress remains unclear. However, its development should be followed with interest. The arguments involved touch on several key discussions concerning law and economies of personal data, not least: the monetary value of personal data, the relationship between data protection and competition law, and the limits of platform power.<\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

– \u00a0Another Surveillance Law \u2018Bites the Dust\u2019: the ECtHR on the Bulgarian Surveillance Law in […]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72307","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72307"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72307\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72307"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72307"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}