{"id":72352,"date":"2022-06-23T22:56:12","date_gmt":"2022-06-23T20:56:12","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-71\/"},"modified":"2022-06-23T22:56:12","modified_gmt":"2022-06-23T20:56:12","slug":"data-protection-insider-issue-71","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-71\/","title":{"rendered":"Data Protection Insider, Issue 71"},"content":{"rendered":"
\n

\n

– ECtHR Rules on Disclosure of Correspondence in Algirdas Butkevi\u010dius v. Lithuania –<\/a><\/span><\/strong><\/em><\/p>\n

\n

On 14th June, the ECtHR ruled in the case of Algirdas Butkevi\u010dius v. Lithuania.<\/em><\/a> The case concerned the recording of a telephone conversation between Mr. Butkevi\u010dius \u2013 at the material time Prime Minister of Lithuania \u2013 and the Mayor of a town concerning official matters. This recording was initially made in relation to a specific criminal investigation of political corruption. The recording was then passed to the Lithuanian Parliament\u2019s Anti-Corruption Commission as also relevant to certain of their investigations. The Commission then held a public hearing in which the recording was discussed. A journalist present at these hearings subsequently published an article, including extracts of the recording, in relation to possible crimes and ethics violations. The story was \u2018republished by the biggest news portals in the country, as well as aired on television channels\u2019. Following a lack of success before domestic courts, the applicant appealed to the ECtHR, claiming \u2018that the release into the public domain of transcripts of an intercepted telephone call between him and a mayor had amounted to a breach of Article 8 of the Convention.\u2019 The Court found no violation. In doing so, the Court highlighted again that \u2018Article 8 of the Convention \u201cprotects a right to personal development, and the right to establish and develop relationships with other human beings and the outside world\u201d. The notion of \u201cprivate life\u201d does not exclude in principle activities of a professional or business nature.\u201d\u2019 The Court found in the case, however, that the interference was in accordance with the law, followed a legitimate aim, and was necessary. In relation to necessity, the Court highlighted both the suitability of the national authorities\u2019 approach and reasoning \u2013 including concerning limitations on privacy in relation to official function \u2013 and the lack of demonstration of sufficiently serious consequences suffered by the applicant: \u2018even if his reputation among his colleagues was affected by the disclosure of his telephone conversation, there are no factual grounds, let alone evidence, which he has put forward that would indicate that such an effect was so substantial as to have constituted a disproportionate interference with his rights guaranteed by Article 8 of the Convention.\u2019<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

\n

– <\/span><\/span>A Broad Reading of the Right to Access: AG Pitruzzella\u2019s Opinion in RW v \u00d6sterreichische Post AG –<\/span><\/span><\/a><\/strong><\/em><\/p>\n

\n

On 9th June, AG Pitruzzella advised the CJEU that the right to access to one\u2019s data should be read broadly to include the list of exact list of recipients of the applicant\u2019s data in RW v \u00d6sterreichische Post AG<\/em>.<\/a> As to the facts of the case, in exercise of their right of access to their personal data, the applicant requested from the controller, the Austrian postal services, to disclose to them the list of entities to whom their personal data had been disclosed. The controller restricted the answer to listing the categories of recipients<\/em>. The postal services argued that the wording of Article 15(1)(c) GDPR \u2013 \u2018the recipients or categories of recipients\u2019 \u2013 allowed them to choose to disclose only the categories of recipients. The applicant challenged that interpretation and the question reached the CJEU via the preliminary ruling procedure. AG Pitruzzella interpreted Article 15(1)(c) GDPR to mean that the controller does not have a choice between disclosing the full list of recipients or only the categories of recipients, inter alia<\/em> because that would contradict the transparency principle and the purpose of the right of access, which is to verify the lawfulness of the data processing \u2013 e.g. of the data transfer. Furthermore, he argued that, as the holder of the right of access to one\u2019s data, the data subject should be able to request the full list to be disclosed where the list is available \u2013 i.e. where the data disclosure has taken place. Referring to Article 12(5) GDPR, AG Pitruzzella recalled that restrictions on the right of access could be imposed \u2013 e.g. where the request is \u2018manifestly unfounded or excessive\u2019. However, the controller has the burden of proof to demonstrate that such provisions are indeed applicable. We note that the Opinion is convincing and would lead to more transparency. It remains to be seen whether the CJEU will follow the AG\u2019s advice.<\/span><\/p>\n<\/div>\n

\n

\n

– EDPB Adopts Documents –<\/strong><\/em><\/a><\/p>\n

On 16th June, the EDPB adopted the following two documents:<\/span><\/a><\/p>\n

\n

\u2018[<\/strong>G]uidelines on certification as a tool for <\/strong>[<\/strong>international] transfers<\/strong>\u2019. See below for more information.<\/span><\/p>\n

\u2018[<\/strong>D]<\/strong>ispute resolution decision on the basis of Art. 65 GDPR<\/strong>\u2019. The case concerns a complaint against Accor SA regarding the right to object to marketing emails and the right of access to personal data. The binding decision resolves the objections raised again the draft decision of the Lead Supervisory Authority (LSA), which is, in casu,<\/em> the CNIL.<\/span><\/p>\n

\n

The documents will be published shortly on the EDPB website.<\/span><\/p>\n<\/div>\n

 <\/p>\n

\n

\n

– <\/span>EDPB Publish Guidelines on Certification as a Tool for Transfers\u00a0–<\/span><\/a><\/strong><\/em><\/p>\n

\n

On 16th June, the EDPB announced the adoption of \u2018guidelines on certification as a tool for transfers\u2019<\/a>. According to the EDPB: \u2018The main purpose of these guidelines is to provide further clarification on the practical use of this transfer tool.\u2019 In terms of content, the EDPB observe that: \u2018The guidelines are composed of four parts, each focusing on specific aspects regarding certification as a tool for transfers, such as the purpose, scope and the different actors involved; implementing guidance on accreditation requirements for certification bodies; specific certification criteria for the purpose of demonstrating the existence of appropriate safeguards for transfers; and the binding and enforceable commitments to be implemented.\u2019 In terms of the relationship between the Guidelines and other EDPB materials, the EDPB note that: \u2018The guidelines complement guidelines 1\/2018 on certification, which provide more general guidance on certification.\u2019 At the time of writing, the Guidelines are not yet publicly available. They will be made available on the EDPB website, however, as soon as the requisite \u2018legal, linguistic and formatting checks\u2019 have been completed. The Guidelines will then be open for public consultation until the end of September. The Guidelines will doubtless be of high interest for the data protection community \u2013 dealing, as they do, with two fascinating and dynamic aspects of the area of law: certification, and transfers.<\/span><\/p>\n

\n

\n

\n

– CNIL Strict on Google Analytics –<\/a><\/span><\/strong><\/em><\/p>\n

According to Euractiv, referring to a Q&A communication on the CNIL\u2019s website, the use of Google Analytics would not be legal without a new EU-US data transfer agreement \u2013 even if Google Analytics would be reconfigured.<\/a> The CNIL reportedly clarified that \u2018\u201c[e]ven in the absence of a transfer, the use of solutions proposed by companies subject to non-European jurisdictions is likely to pose difficulties in terms of access to data\u201d\u2019. The article highlighted that CNIL was also not satisfied with the proposal to encrypt and anonymize the data, because, with all the personal data Google collects through its other services, re-identification of the data could not be excluded and the fact that Google Analytics stores the encryption keys means that encryption cannot be effective. According to the article, the CNIL recommends, currently, consent as the only basis for the data transfer. However, the article highlights the CNIL find this problematic, too, because \u2018this is no \u201cpermanent and long-term solution\u201d as this exemption only applies to non-systematic transfers.\u2019 The article observes CNIL recognises that a potential solution could be \u2018using a proxy to avoid any direct contact between the devices of internet users and Google servers\u2019, but also that CNIL considers this might be difficult and costly to implement in practice. The article makes reference to the recent announcements by the European Commission that a new data transfer agreement is in the making, but also recalls that there seems to be no concrete proposal on the table yet.<\/span><\/p>\n<\/div>\n<\/div>\n

\n

 <\/p>\n

\n

– EDPB Response on the Interplay between PSD2 and GDPR –<\/a><\/strong><\/em><\/p>\n

On 22nd May, the EDPB issued a response to a letter, sent on 31st January, dealing with concerns \u2018regarding the Guidelines 06\/2020 on the interplay of the Second Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR) adopted on 17 July 2020.\u2019<\/a> Whilst the EDPB does not elaborate on, or appear to engage extensively with, the substance of the concerns in the original letter, the Board highlights the significant consultation process behind the adoption of the Guidelines \u2013 in which certain views which reflect \u2018the concerns raised in [the] letter\u2019 were expressed \u2013 and thus further highlights that it \u2018considers it is not necessary to revise [the] Guidelines for the moment.\u2019 The Board then observes that: \u2018payment service providers can turn to their national supervisory authorities if they require more information and clarifications on these Guidelines.\u2019 The Board finally highlights \u2018the possibility for the payment sector to prepare and submit, in accordance with Article 40 of the GDPR, a code of conduct for approval by their national supervisory authority\u2026 Such a code of conduct would specify the application of the GDPR in relation to the processing of personal data by payment service providers, in the context of services that fall under the PSD2, and provide further solutions and legal certainty for the sector\u2019. The EDPB response is most likely to be of relevance to those with a specific interest in data protection and PSD2.<\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

– ECtHR Rules on Disclosure of Correspondence in Algirdas Butkevi\u010dius v. Lithuania – On 14th […]<\/p>\n","protected":false},"author":144,"featured_media":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72352","dpi","type-dpi","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72352","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72352"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72352\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72352"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72352"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72352"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}