{"id":72325,"date":"2022-03-17T22:43:49","date_gmt":"2022-03-17T21:43:49","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-65\/"},"modified":"2022-03-17T22:43:49","modified_gmt":"2022-03-17T21:43:49","slug":"data-protection-insider-issue-65","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-65\/","title":{"rendered":"Data Protection Insider, Issue 65"},"content":{"rendered":"
\n

– \u00a0ECtHR Rules on Minor\u2019s Privacy –<\/strong><\/a><\/em><\/p>\n

\n

On 1st March, the European Court of Human Rights ruled in the case of I.V.\u021a. v. Romania<\/em><\/a>. In terms of the facts, the case concerned an interview with the applicant, a minor at the time, by a television news crew, following the death of a schoolmate. The interview concerned the death of the student despite the applicant not having been present at the event. The interview was conducted without parental consent. The interview was broadcast, and, as a result of the content of the interview, the applicant suffered anguish due to reactions from classmates and teachers. The applicant brought proceedings before domestic courts concerning the anguish felt and the lack of parental consent for the interview \u2013 despite this being required under national law. The higher domestic courts eventually found that the broadcast of the interview was acceptable in light of the public interest in the story and that the anguish felt did not constitute a direct result of the broadcast of the interview \u2013 but rather of unprofessional behaviour by teachers. Accordingly: \u2018The applicant complained [to the ECtHR] that the national authorities had failed to protect her right to respect for her private life and in particular the right to respect for her image as provided in Article 8 of the Convention\u2019. The Court found in favour of the applicant. The Court highlighted the positive obligations on states relevant in ensuring respect for private life, states\u2019 need to take into account the vulnerability of minors in ensuring this protection, and the need to balance, in such cases Article 8 and Article 10 \u2013 \u2018the private broadcasting company and journalists\u2019 right to impart information as guaranteed by Article 10\u2019. In this regard, the Court \u2018referred to its case-law in which the criteria for balancing the protection of private life against freedom of expression were set out\u2026[which] include: contribution to a debate of public interest; the degree of notoriety of the person affected; the subject of the report; the prior conduct of the person concerned; the content, form and consequences of the publication; and the circumstances in which images were taken.\u2019 In applying these principles to the case, the Court concluded: \u2018the higher domestic courts only superficially engaged in the balancing exercise between the applicant\u2019s right to private life and company X\u2019s freedom of expression, and this exercise was not carried out in conformity with the criteria laid down in the Court\u2019s case-law\u2026In the Court\u2019s view, the above considerations \u2013 especially on the young age and the lack of notoriety of the applicant; on the little contribution that the broadcast of her interview was likely to bring to a debate of public interest and on the particular interest of a minor in the effective protection of her private life \u2013 are sufficiently strong reasons to substitute its view for that of the domestic courts\u2026The Court finds that, given their duty to duly take into account the rights of minor children\u2026the latter failed to strike a fair balance between the relevant interests, thus failing to comply with their positive obligations to protect the applicant\u2019s right to respect for her private life.\u2019<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

–\u00a0EDPS Issues Opinion on the Pr\u00fcm II Proposal –<\/em><\/a><\/strong><\/p>\n

\n

On 2nd March the EDPS issued Opinion 04\/2022 on the proposed Regulation for automated data exchange for police cooperation (Pr\u00fcm II)<\/a>. The proposed Regulation seeks to update the existing Pr\u00fcm Decisions, \u2018laying down the conditions and the procedures for the automated searching of DNA profiles, dactyloscopic data (fingerprints), facial images, police records and certain vehicle registration data, as well as exchange of data following a match.\u2019 The EPDS raises the following main concerns in his Opinion, which deal, in particular, with the necessity and proportionality of the initiative: (1) the scope of the Proposal is not clear as concerns the crimes for which a query may be launched; (2) the scope of the Proposal is also not clear as to the affected data subjects \u2013 i.e. whether witnesses and victims may also be the subject of data exchanges \u2013 and it should further be clarified for which crimes and categories of individuals highly sensitive data such as DNA profiles, but also facial images, might be exchanged and what safeguards against abuse are provided; (3) the inclusion of Europol into the Pr\u00fcm framework \u2013 i.e. its ability to check third country-sourced data against Member State records and vice versa; (4) the unclear responsibility in terms of data protection and the governance of cooperation; and (5) the lack of clarification regarding the fact that the data protection provisions in the Proposal should not prejudice the applicability of the LED and Regulation 2018\/1725. The Opinion briefly discusses further points which might be interesting for the reader, e.g. the relationship between Pr\u00fcm II and the upcoming interoperability scheme in the Area of freedom, security and justice.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– EDPS Issues Opinion on the Proposal for LEA Data Exchange –<\/em><\/a><\/strong><\/p>\n

\n

On 7th March the EDPS issued Opinion 05\/2022 on the Proposal for a Directive on information exchange between law enforcement authorities of Member States<\/a>. As to the Proposal, it aims to guarantee \u2018the equivalent access for any Member State\u2019s law enforcement authorities to information available in other Member States for the purposes of preventing and detecting criminal offences, conducting criminal investigations or criminal operations, thereby overcoming currently existing rules at national level, which impede the effective and efficient flow of information\u2019. The EDPS makes several recommendations concerning the proposal: (1) re-considering whether the GDPR is relevant as a horizontally applicable law and potentially mentioning only the LED as the applicable general law on data protection; (2) clarifying the scope of the Proposal in terms of the individuals to whom it will apply \u2013 i.e. whether it will include witnesses and victims; (3) providing for data storage limits when it comes to data storage by the prospective Single Points of Contact (SPOC) in each Member State which will be tasked with data exchange; and (4) that the Member States should decide on a case-by-case basis whether to send a copy of the data exchanged between themselves to Europol where the data concern a crime falling within Europol\u2019s mandate in order to avoid a situation in which Europol receives excessive amounts of data.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– Italian DPA fines Clearview and Orders Data Deletion –<\/strong><\/span><\/em><\/a><\/p>\n

\n

On 9th March, the Garante \u2013 the Italian DPA \u2013 announced a decision in its investigation into Clearview AI.<\/a> The investigation concerned the tracking of \u2018Italian nationals and persons located in Italy\u2019 by the company, which \u2018owns a database including over 10 billion facial images from all over the world, which are extracted from public web sources (media outlets, social media, online videos) via web scraping\u2026[and] offers a sophisticated search service which allows, through AI systems, [the] creat[ion of] profiles on the basis of the biometric data extracted from the images.\u2019 The Garante found several breaches of the GDPR, including that: \u2018personal data held by the company, including biometric and geolocation information, were processed unlawfully without an appropriate legal basis \u2013 since the legitimate interest of the US-based company does not qualify as such\u2019; transparency obligations were not met, as the company \u2018failed to adequately inform users\u2019; purpose limitation principles were not respected, as the company \u2018processed users\u2019 data for purposes other than those for which they had been made available online\u2019; and storage limitation principles were not respected, as the company \u2018did not set out any data storage period\u2019. In consequence, the Gar ante \u2018fined Clearview AI EUR 20 million\u2026ordered the company to erase the data relating to individuals in Italy\u2026banned any further collection and processing of the data through the company\u2019s facial recognition system\u2026[and] ordered [the company] to designate a representative in the EU to be addressed in addition to or instead of the US-based controller in order to facilitate exercise of data subject rights.\u2019 This decision will further stoke the fires of discussion on the use, and boundaries of use, of facial recognition and AI. It will be interesting to see how other supervisory authorities receive this decision.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– \u00a0<\/span>EDPB 62nd Plenary –<\/strong><\/em><\/a><\/p>\n

\n

On 14th March 2022, the EDPB held its 62nd plenary meeting<\/a>. Amongst the topics discussed \u2013 see the link below for the full agenda \u2013 the following stand out as particularly interesting:<\/span><\/p>\n

\n

\u2018Guidelines on Article 60 GDPR (Cooperation and One-Stop-Shop mechanism)\u2019<\/span><\/p>\n

\u2018EDPB-EDPS Joint Opinion on Covid-19 certification Regulation extension\u2019<\/span><\/p>\n

\u2018Guidelines on data protection in social media platform interfaces: practical recommendations\u2019<\/span><\/p>\n

\u2018Draft toolbox on essential data protection safeguards for enforcement cooperation between EEA and third country data protection authorities\u2019<\/span><\/p>\n

\u2018Amendment of the Rules of Procedure by the RoP Drafting Team concerning the notification and translation of binding decisions \u2013 request for mandate\u2019<\/span><\/p>\n

\n

At the time of writing, news concerning the outcomes of the plenary was not yet available. We expect news to appear on the EDPB website in the following days.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

– Belgian DPA on Preliminary Data Protection Authority Law –<\/strong><\/em><\/span><\/a><\/p>\n

\n

On 25th February, the Executive Committee of the Belgian DPA issued its \u2018Opinion on preliminary draft law amending the Act of 3 December 2017 establishing the Data Protection Authority\u2019.<\/a> In principle, the Committee \u2018endorses the main principles underlying the Preliminary Draft, insofar as it aims to strengthen the operation and independence of the DPA.\u2019 The Committee then goes on, however, to highlight a number of concerns they have with the proposed law. These include: concerns that \u2018European law requirements on independence [are] not guaranteed\u2019 \u2013 including an extensive discussion on the ways in which they foresee that requirements are not guaranteed; concerns related to the \u2018operation of the Executive Committee\u2019; concerns revolving around \u2018essential procedural provisions [which] belong in the law\u2019; and concerns relating to the envisaged \u2018new powers for the authorisation and advisory service\u2019. To fully understand the content, context and consequences of the opinion, a knowledge of the Belgian situation is likely required. Nevertheless, even without such knowledge, the opinion makes interesting reading. This is true for a number of reasons, including: i) the opinion touches on the specifics of the internal structure and function of a DPA, which are not always the focus of attention; ii) the opinion highlights the significance of changes to structure and function in relation to the capacity of a DPA to fulfil its goals; and iii) the opinion deals with important issues \u2013 such as the independence of DPAs \u2013 in a way which has relevance beyond the Belgian context.<\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

– \u00a0ECtHR Rules on Minor\u2019s Privacy – On 1st March, the European Court of Human […]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72325","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72325","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72325"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72325\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72325"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72325"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}