{"id":72389,"date":"2022-10-13T19:18:07","date_gmt":"2022-10-13T17:18:07","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-79\/"},"modified":"2022-10-13T19:18:07","modified_gmt":"2022-10-13T17:18:07","slug":"data-protection-insider-issue-79","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-79\/","title":{"rendered":"Data Protection Insider, Issue 79"},"content":{"rendered":"

–\u00a0<\/strong>ECtHR: Hungarian DPA with Insufficient Powers to Control Secret Surveillance<\/a>\u00a0<\/strong>–<\/a><\/strong><\/em><\/p>\n

 <\/p>\n

On 29th September, the ECtHR examined again the Hungarian secret surveillance system in\u00a0H\u00fcttl v Hungary<\/em><\/a>. As to the facts of the case, the applicant is a lawyer who suspected that his telephone had been tapped. He submitted several complaints to the Hungarian authorities, but they concluded that he had not been subject to unlawful surveillance or did not investigate his complaints. Then, the applicant filed a complaint with the ECtHR, claiming a violation of Article 8 ECHR. When examining the complaint, the Court focused essentially on the question of whether the Hungarian DPA could offer an effective safeguard against unlawful secret surveillance, an aspect which it had not examined in\u00a0Szab\u00f3 and Vissy<\/em>. The Court noted that the DPA could not perform independent legality checks and address the grievances of the applicant, because the DPA does not have unrestricted access to certain sensitive law enforcement, defence and\/or national security information. Instead, it relies on the findings of the respective ministries. Hence, it cannot be deemed to be an external, independent supervisory authority in relation to the executive. On that basis, the Court found violation of Article 8 ECHR and did not depart from its findings in\u00a0Szab\u00f3 and Vissy<\/em>.<\/p>\n

Learn more<\/span><\/strong><\/span><\/a><\/p>\n

 <\/p>\n

–\u00a0<\/a><\/strong><\/em>AG Advises CJEU that a Mere Infringement of the GDPR Does Not Suffice for Awarding Damages<\/a>\u00a0<\/strong>–<\/a><\/strong><\/em><\/p>\n

 <\/p>\n

On 6th October, AG Campos Sanchez-Bordona delivered his Opinion in\u00a0UI v \u00d6sterreichische Post AG<\/em>\u00a0on the question of whether a mere infringement of the provisions of the GDPR can trigger a claim for damages<\/a>. As to the facts of the case, the applicant complained that he had been profiled by the Austrian postal services as concerns his political affiliation. He claimed that he had not given his consent for the profiling, that he \u2018was upset by the storage of his party affinity data and angered and offended by the affinity specifically attributed to him by \u00d6sterreichische Post\u2019 and \u2018that the political affinity attributed to him is insulting and shameful, as well as extremely damaging to his reputation. In addition, \u00d6sterreichische Post\u2019s conduct caused him great upset and a loss of confidence, and also a feeling of public exposure.\u2019 On that basis he claimed a compensation of \u20ac 1000 for non-material damages. His claim was turned down by the lower domestic courts and eventually three preliminary ruling questions on the issue of whether a mere infringement of the GDPR suffices to award damages were filed with the CJEU. The AG advised the Court to rule that this is not the case for the following two reasons. First, he argued that \u2018there is an unequivocal requirement that the natural person concerned must have suffered damage as a result of an infringement of the GDPR.\u2019 Second, on the related question whether punitive damages can be awarded under the GDPR, the AG reasoned that this is not the case and that there is no presumption of damage when the GDPR is infringed. In his reasoning, the AG focused especially on the point that data subject control is not absolute and not the sole objective of the GDPR. On the second question whether national courts may award other types of damages than financial compensation, the AG advised the Court that such remedies as a declaration that the processing is illegal or payment of a symbolic compensation is not precluded by the GDPR. Finally, on the question of \u2018whether, under the GDPR, the award of compensation for non-material damage is conditional on an \u2018infringement of at least some weight that goes beyond the upset caused by that infringement\u2019\u2019, the AG concluded that \u2018there is a fine line between mere upset (which is not eligible for compensation) and genuine non-material damage (which is eligible for compensation) and I am also aware of how complicated it is to delimit, in the abstract, the two categories and apply them to a particular dispute. That difficult task falls to the courts of the Member States, which will probably be unable to avoid in their rulings the perception prevailing in society at a given time regarding the permissible degree of tolerance where the subjective effects of infringement of a provision in this area do not exceed a\u00a0de minimis<\/em>\u00a0level.\u2019 It remains to be seen what position the Court will take on these delicate questions.<\/p>\n

Learn\u00a0more<\/strong><\/span><\/a><\/p>\n

 <\/p>\n

–\u00a0<\/strong><\/em><\/a>AG Opinion on the GDPR and Disclosure in Civil Procedures<\/a>\u00a0<\/strong>–<\/strong><\/em><\/a><\/p>\n

 <\/p>\n

On 6th October, Advocate General \u0106apeta delivered their Opinion in the case of\u00a0<\/a>Norra Stockholm Bygg AB v Per Nycander AB, joined parties: Entral AB<\/a>.<\/em>\u00a0<\/em>In terms of the facts, the case concerned the construction of a building by the appellant for the respondent. The register of employee activity on the project was held by\u00a0Entral AB<\/em>. With regard to the project, the respondent challenged the request for payment, claiming the requested amount was too high. In this regard, in order to prove this claim before court, the respondent requested the disclosure of employee activity records from Entral AB. The request was opposed by the appellant, who suggested that \u2018such a disclosure would breach the GDPR, as the requested data were collected for another purpose and cannot be used as evidence in the main proceedings.\u2019 National courts initially ordered the production of the records, a decision which the appellant appealed. In this regard, the referring court submitted two questions to the CJEU:<\/p>\n

 <\/p>\n

\u2018Does Article 6(3) and (4) of the [GDPR] also impose a requirement on national procedural legislation relating to disclosure obligations?\u2019<\/p>\n

Must the \u2018interests of the data subjects [be considered] when a decision on disclosure must be made which involves\u2026personal data? In such circumstances, does EU law establish any requirements concerning how\u2026that decision should be made?\u2019<\/p>\n

 <\/p>\n

With regard to the questions, the AG concluded:<\/p>\n

 <\/p>\n

\u2018Article 6(3) and (4) of the [GDPR] imposes requirements on national procedural legislation relating to disclosure obligations whenever disclosure\u2026[involves] personal data. National procedural legislation cannot prevent\u2026the interests of data subjects [being] taken into consideration. Those interests will be safeguarded if national courts respect the rules of\u2026[the GDPR regarding] disclosure.\u2019<\/p>\n

When deciding on the order for disclosure in civil proceedings\u2026[involving] personal data, the national court must undertake a proportionality analysis\u2026[considering] the interests of data subjects\u2026and balance them in relation to the interest of the parties to the procedure to obtain evidence. That proportionality assessment is guided by the principles set out in Article 5 of [the GDPR].\u2019<\/p>\n

 <\/p>\n

As always, it remains to be seen whether, and to what extent, the Court will follow the Opinion. This is an interesting Opinion which touches on a number of pertinent issues in data protection law \u2013 e.g. judicial bodies\u2019 obligations, the conditions of secondary use, pseudonymisation, proportionality \u2013 and, for that reason is well worth reading.<\/p>\n

Learn\u00a0more<\/strong><\/span><\/a><\/p>\n

 <\/p>\n

–\u00a0<\/a><\/strong><\/em>EDPB Announces Publication of Biannual CSC Report of Activities<\/strong><\/a>\u00a0<\/strong>–<\/a><\/strong><\/em><\/p>\n

 <\/p>\n

On 5th October, the EDPB announced the publication of the \u20182020-2022 Coordinated Supervision Committee Report of Activities\u2019 \u2013 adopted in July<\/a>. The Committee consists of \u2018the national Supervisory Authorities (SAs) and the European Data Protection Supervisor (EDPS)\u2019 and aims at ensuring \u2018the coordinated supervision by Supervisory Authorities of large-scale IT systems and of EU bodies, offices and agencies falling under its scope.\u2019 In terms of more substantive content, the Report first discusses the set-up of the Committee \u2013 including its \u2018Rules of Procedure\u2019, the \u2018Organisation of meetings\u2019, and its \u2018Working methods\u2019. The report then goes on to elaborate the activities of the Committee, in relation to which discussions proceed under four headings: i) \u2018Promote and facilitate the exercise of data subject rights\u2019; ii) \u2018Examine difficulties of interpretation or application of EU and national law\u2019; iii) \u2018Exchange information and conduct joint audits or coordinated inspections\u2019; iv) \u2018Prepare for the start of the EPPO\u2019s activities and other EU bodies and information systems that will fall under the Committee\u2019s scope.\u2019 The report finally goes on to discuss \u2018Main Objectives for 2022-2024 \u2013 including discussions of preparations for new large-scale systems as well as of \u2018Coordination and effective supervision\u2019. Whilst the report will likely be of most interest to those who are interested in the subject matter of the Committee\u2019s work, the report should nevertheless be of interest to the broader data protection community \u2013 e.g. with regard to the discussion of the procedures of the Committee.<\/p>\n

Learn more<\/strong><\/span><\/a><\/p>\n

 <\/p>\n

–\u00a0<\/a><\/strong><\/em>EDPB Holds 70th Plenary Meeting<\/a>\u00a0<\/strong>–<\/a><\/strong><\/em><\/p>\n

\u00a0<\/strong><\/p>\n

On 10th October, the EDPB held its 70th plenary meeting<\/a>. From the agenda of the meeting, the EDPB is focusing,\u00a0inter alia<\/em>, on the following topics: complaints with the Ombudsman on access to documents, \u2018Statement on digital euro\u2019, selection of strategic cases, \u2018Art. 64 Opinion on the approval of Europrivacy certification criteria\u2019, \u2018Targeted update of the Guidelines for identifying a controller or processor\u2019s lead supervisory authority\u2019, \u2018Targeted update of the Guidelines on data breach notification\u2019, and \u2018Annual reports of SAs: dedicated Annex with standardised content and format regarding key information\u2019.<\/p>\n

Learn more<\/strong><\/span><\/a><\/p>\n

 <\/p>\n

–<\/a><\/strong><\/em>\u00a0<\/a><\/strong>DPC Draft Article 60 Decision on Meta<\/a>\u00a0<\/strong>–<\/a><\/strong><\/em><\/p>\n

\u00a0<\/strong><\/p>\n

On 3rd October, the Irish DPC announced it had \u2018submitted a draft decision in a large scale inquiry into Meta Platforms Ireland Limited (\u201cMPIL\u201d) to other Concerned Supervisory Authorities across the EU<\/a>.\u2019 The submission follows an investigation into the company which started in April 2021. The investigation concerned reports that \u2018a collated dataset of Facebook user personal data had been made available on the internet\u2019 \u2013 allegedly including hundreds of millions of users\u2019 personal data. The investigation focussed on Meta\u2019s compliance with \u2018Articles 25(1) and 25(2) GDPR (\u201cdata protection by design and by default\u201d)\u2019. Other DPAs now have one month to provide feedback. The feedback procedure can yield significant input and the subsequent progress of the decision is worth following with interest \u2013 not least concerning possible insights into the application of Articles 25(1) and 25(2).<\/p>\n

Learn more<\/strong><\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

–\u00a0ECtHR: Hungarian DPA with Insufficient Powers to Control Secret Surveillance\u00a0–   On 29th September, the […]<\/p>\n","protected":false},"author":144,"featured_media":62803,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72389","dpi","type-dpi","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72389","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72389"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72389\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media\/62803"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72389"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72389"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}