{"id":72317,"date":"2022-02-17T22:40:23","date_gmt":"2022-02-17T21:40:23","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-63\/"},"modified":"2022-02-17T22:40:23","modified_gmt":"2022-02-17T21:40:23","slug":"data-protection-insider-issue-63","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-63\/","title":{"rendered":"Data Protection Insider, Issue 63"},"content":{"rendered":"
\n

– \u00a0<\/strong><\/span>EDPB Adopts Opinion on Luxemburg DPA\u2019s Draft Certification Criteria<\/em><\/strong>–\u00a0<\/strong><\/span><\/span><\/a><\/p>\n

\n

On 1st February, the EDPB adopted \u2018Opinion 1\/2022on the draft decision of the Luxembourg Supervisory Authority regarding the GDPR \u2013 CARPA certification criteria\u2019<\/a>. The criteria were drafted by the Luxemburg DPA under Article 42(5) of the GDPR and were submitted to the EDPB for an Opinion according to Article 64(1)(c) of the GDPR. The certification criteria do not correspond to criteria \u2018according to article 46(2)(f) of the GDPR meant for international transfers of personal data and therefore does not provide appropriate safeguards within the framework of transfers of personal data to third countries or international organisations.\u2019 The EDPB conducted its evaluation in accordance with Annex 2 of its \u2018Guidelines 1\/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation\u2019. The evaluation is extensive and includes sections on: \u2018General remarks\u2019; \u2018Scope of the certification mechanism and Target of Evaluation (ToE)\u2019; \u2018Procedure to determine a Target of Evaluation (ToE)\u2019; \u2018Certification criteria\u2019; \u2018Lawfulness of Processing\u2019; \u2018Principles of Article 5\u2019; \u2018General Obligations for Controllers and Processors\u2019; \u2018Rights of data subjects\u2019; and \u2018Risks for the rights and freedoms of natural persons and technical and organisational measures guaranteeing protection\u2019. The EDPB concludes that: \u2018the GDPR \u2013 CARPA certification criteria may lead to an inconsistent application of the GDPR and provide an extensive list of \u2018changes [which] need to be made in order to fulfill the requirements imposed by Article 42 of the GDPR in light of the Guidelines and the Addendum\u2019 \u2013 referring to the Guidelines mentioned above and to the document \u2018Guidance on certification criteria assessment (Addendum to Guidelines 1\/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation)\u2019. It is interesting to see EDPB evaluation procedures used in practice and the Opinion is worth a read for all engaged with certification criteria.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– <\/strong><\/span>Conseil d\u2019Etat Confirms Cookie Fine Against Google –<\/em><\/strong><\/span><\/a><\/p>\n

\n

On 28th January, the Conseil d\u2019Etat upheld the \u20ac100 million fine imposed on Google LLC and Google Ireland Limited by the CNIL in December 2020<\/a>. The fine concerns the placing of cookies on users\u2019 devices without their consent, without having provided them with sufficient information and without giving them the opportunity to refuse the cookies. The cookies remained active even if individuals turned off the personalized ads functionality. The CNIL concluded that this breaches the French provisions implementing the e-Privacy Directive. In other words, it argued that the provisions on the GDPR concerning DPA competence \u2013 including the ones on the one-stop-shop principle \u2013 are not applicable. Thus, the CNIL concluded that it was competent to examine the case and not to forward it to the Irish DPC, which is the lead competent authority under the one-stop-shop principle. The Conseil d\u2019Etat confirmed the CNIL\u2019s arguments and the fine. The Conseil d\u2019Etat did not consider it necessary to ask the CJEU if the one-stop-shop principle indeed does not apply in the case. It also considered that the imposed fine is proportionate.<\/span><\/p>\n

\n<\/div>\n

 <\/p>\n

\n

– Google Analytics Declared Illegal in France and Austria –<\/em><\/a><\/strong><\/p>\n

\n

NOYB had previously filed 101 complaints with all the EU and EEA Data Protection Authorities (DPAs), claiming that the usage of Google Analytics does not comply with the CJEU\u2019s ruling on data transfers and which resulted in the striking down of Privacy Shield. The tool is used mainly to analyse the traffic through websites. Now, both the CNIL and the Austrian DPA have declared that the transfer of personal data to the US in the framework of the Google Analytics tool, as used by European websites, infringes the GDPR<\/a>. This is mainly due to the fact that the once the data are transferred to the US, they might land in the hands of US intelligence authorities and the safeguards on the basis of which the data transfers take place cannot ensure that these authorities will not get hold of the transferred personal data. Following the establishment of infringement, the CNIL has ordered the concerned French website to stop using Google Analytics and has suggested the website could use another, GDPR-compliant tool. In the case of Austria, since the concerned website has merged with a German entity, a common enforcement action with the responsible German DPA is expected. According to NOYB, further similar decisions in relation to the remaining complaints and other websites are expected by the other DPAs, since all the addressed DPAs have collaborated in analysing the problem in the framework of the EDPB.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

–\u00a0<\/strong><\/em><\/span>Slovenia\u2019s Breaches of the GDPR on the Commission\u2019s Radar <\/em><\/strong><\/span>–<\/strong><\/em><\/span><\/a><\/p>\n

\n

On 9th February, the European Commission sent Slovenia a letter of formal notice concerning the fact that Slovenia has not adopted national data protection provisions pursuant to the GDPR, even though the latter has been applicable since May 2018.<\/a> More precisely, Slovenian law still does not enable the Data Protection Commission to exercise all the corrective powers provided for in the GDPR and thus to ensure the enforcement of GDPR provisions in Slovenia. The letter sent to Slovenia also refers to Slovenia \u2018failing to fulfil its notification obligations under the General Data Protection Regulation (GDPR)\u2019, although it is not clear which notification obligations are meant. Now Slovenia has two months to respond the Commission\u2019s letter. If the Commission is not satisfied with the response, i.e. if it believes the Slovenia continues to infringe the GDPR, it may send Slovenia a reasoned opinion.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– \u00a0<\/strong><\/span>Commission Publishes Study on Data Flows –<\/em><\/strong><\/a><\/p>\n

\n

On 3rd February, the European Commission published the \u2018Study on Mapping Data FlowsFinal Report\u2019.<\/a> The study \u2018which is part of the European Commission initiative \u2018The European Data Flow Monitoring\u2019, provides an innovative and replicable methodology to estimate and monitor the volume and types of data flows within the EU, EFTA countries and the UK\u2026[and] provides the tools for a continuous analysis of data flows and the economic development of the EU\u2019s data processing sector\u2019. In this regard: \u2018It can be used in future to monitor data flow trends across and within the European Union to provide evidence in support of EU policy, trade and investment decisions.\u2019 In terms of content, the study \u2018provides a holistic approach and an integrated view of enterprise data flowing to cloud data centres and edge centres within the EU; between the EU and the UK; and between EU and EFTA\u2019. The study is long \u2013 at 112 pages excluding Annexes \u2013 and does not solely concern flows of personal data. Yet, the mapping provides granularity to the abstract concept of \u2018data flows\u2019 and the study contains a great quantity of data and many thought-provoking observations and predictions. In relation to flows of personal data, for example, the study observes that: \u2018Concerning data types, 41 per cent of the total data stored in cloud infrastructure is personal data and 59 per cent is non-personal data. Of these 41 per cent of personal data, 11 per cent is generated by a user\/individual.\u2019<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– <\/span><\/strong><\/span>AEPD Issues 3,000,000 Million Euro Fine for Failure to Obtain Legitimate Consent<\/strong>\u00a0<\/strong><\/span>–<\/span><\/strong><\/span><\/a>&nbsp;<\/span><\/span><\/a><\/em><\/p>\n

\n

As reported by the EDPB, the AEPD \u2013 the Spanish DPA \u2013 has issued a \u2018fine of EUR 3,000,000 to CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. for lack of specific and informed consent regarding profiling for commercial purposes\u2019<\/a>. The entity fined functions as a payment institution. In this context, the entity creates profiles for the purposes of risk assessment and \u2018[s]election of target audience\u2019. Consent for these activities was requested only in general terms. In this regard \u2018the interested party is provided only with generic information on the different profiling treatments and with this information the interested party is not able to know exactly what [they are] consenting to. Nor is there any provision for the person concerned to express his or her choice on all purposes for which the data are processed\u2019. Accordingly, the EDPB report that the fine was issued \u2018for lack of specific and informed consent regarding profiling for commercial purposes [and] the controller [was ordered] to bring processing operations into compliance with the provisions of the GDPR within six months of [the] decision.\u2019\u00a0<\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

– \u00a0EDPB Adopts Opinion on Luxemburg DPA\u2019s Draft Certification Criteria–\u00a0 On 1st February, the EDPB […]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72317","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72317","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72317"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72317\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72317"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72317"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72317"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}