{"id":72395,"date":"2022-11-10T19:18:07","date_gmt":"2022-11-10T18:18:07","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-82\/"},"modified":"2022-11-10T19:18:07","modified_gmt":"2022-11-10T18:18:07","slug":"data-protection-insider-issue-82","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-82\/","title":{"rendered":"Data Protection Insider, Issue 82"},"content":{"rendered":"

– <\/strong><\/a>CJEU Ruling Strengthens the Role of Consent and Right to Erasure<\/a> <\/strong>–<\/strong><\/em><\/a><\/p>\n

 <\/p>\n

On 27th October, the CJEU ruled on the right to withdraw consent and the right to erasure in relation to multiple controllers in the case of Proximus NV v Gegevensbeschermingsautoriteit<\/em> in the context of publishing someone\u2019s contact details in public directories.<\/a> As to the facts of the case, a subscriber of telecommunication services provided by Telenet indicated to Proximus, which also provides such services and publishes directories, that they do not wish their data to be published in public directories either by Proximus or by other directory providers to which Proximus provides contact information for the purposes of creating and publishing directories. Proximus recorded this in its systems. When Telenet subsequently sent to Proximus the list of its subscribers who wish to be included or do not object to being included in public directories, the applicant\u2019s details were included and Proximus changed its system accordingly. As a result, the applicant\u2019s contact data were published. Upon learning this, the applicant asked Proximus to delete their contact information from the public directory. Proximus informed the applicant that it has deleted their data from the Proximus directory, that it has informed the other directory providers to which it had provided the data and Google of the withdrawal of the applicant\u2019s consent. In parallel, the applicant submitted a complaint with the Belgian DPA, which imposed a \u20ac 20 000 fine on Proximus, relying on the requirement in the e-Privacy Directive that consent is required for the inclusion of the subscribers\u2019 data in public directories. When appealing the fine, the latter argued that it was not in breach of the GDPR, because consent was not required for the publication of the data in directories. The dispute eventually reached the CJEU via the preliminary ruling procedure. The Court ruled that \u2018consent by a subscriber who has been duly informed is necessary for the purposes of the publication of his or her personal data in a public directory and extends to any subsequent processing<\/strong> of data by third-party undertakings active in the market for publicly available directory enquiry services and directories, provided that such processing pursues the same purpose.\u2019 The Court then unsurprisingly clarified that consent may be withdrawn and such a request could be treated as an erasure request. The Court further ruled that Proximus should inform the other directory providers and the telecommunications provider from whom the data originated of the withdrawal of consent via \u2018appropriate technical and organisational measures\u2019. From the text of the judgment it is evident that the Court relies here on Article 24 GDPR. Thus, the Court concluded that where several controllers rely on one consent, it is enough that the concerned data subject contacts only one of them. Finally, the Court ruled that \u2018a controller such as Proximus is required, under the GDPR, to ensure that reasonable steps are taken to inform search engine providers of the request addressed to it by the subscriber of a telephone service operator for erasure of his or her personal data.\u2019 From the text of the judgment, it becomes clear that here the Court relies on Article 17(2) GDPR.<\/p>\n

 <\/p>\n

Editorial note: The story is based on the Press Release as the judgment is not available in English yet. The references to the GDPR Articles have been taken directly from the judgment.<\/em><\/p>\n

Learn more<\/span><\/strong><\/span><\/a><\/p>\n

 <\/p>\n

– <\/strong><\/em><\/a>German Constitutional Court Decides on Data Sharing by Intelligence Services<\/a> <\/strong>–<\/strong><\/em><\/a><\/p>\n

 <\/p>\n

On 28th September, the German Constitutional Court ruled in a case concerning the scope of domestic intelligence agencies\u2019 data sharing powers<\/a>. In terms of the facts, the case concerned an application by a complainant \u2018who was convicted in criminal proceedings relating to the National Socialist Underground (who challenged) the data sharing powers of the domestic intelligence services and (asserted) a violation of the fundamental right to informational self-determination.\u2019 The powers in question essentially flow from the Federal Protection of the Constitution Act (Bundesverfassungsschutzgesetz) and allowed federal and state intelligence services to share information with police and public prosecutors \u2018when there are factual indications that the sharing of information is necessary for the prevention or prosecution of offences against state security.\u2019 The same powers are relied upon as justification for the establishment of \u2018the Standardised Central Database to Combat Violent Right-Wing Extremism (Rechtsextremismus-Datei-Gesetz)\u2026a joint database for police authorities and intelligence services of the Federation and the L\u00e4nder that serves to facilitate inter-agency requests for information.\u2019 In this regard, the Court generally held\u00a0 \u2018that the data sharing powers of domestic intelligence services under the Federal Protection of the Constitution Act\u2026are not compatible with the fundamental right to informational self-determination under Art. 2(1) in conjunction with Art. 1(1) of the Basic Law (Grundgesetz \u2013 GG). Specifically, (the) ruling is directed at provisions permitting the sharing of personal data that was obtained by\u2026domestic intelligence services through covert methods. These provisions violate the principles of legal clarity and proportionality. They also lack sufficiently specific documentation requirements.\u2019 The case is interesting and will surely be a worthwhile subject of study for anyone interested in law and data processing for security purposes. The considerations on the proportionality of the provisions in question are particularly interesting.<\/p>\n

 <\/p>\n

Editorial note: The story is based on the Press Release as the judgment is not available in English.<\/em><\/p>\n

Learn\u00a0more<\/strong><\/span><\/a><\/p>\n

 <\/p>\n

– <\/strong><\/em><\/a>Statewatch Releases Documents on Personal Data Processing by Frontex<\/a> <\/strong>–<\/strong><\/a><\/p>\n

\u00a0<\/strong><\/p>\n

On 4th November, Statewatch published a series of documents concerning the operational personal data processing practices of Frontex (the European Border and Coast Guard Agency), especially those carried out for the purposes of fighting cross-border crime<\/em>.<\/a> The documents cover the period from December 2018 until November 2022. According to Statewatch, the documents \u2018make it crystal clear how the management of the EU’s most powerful agency sought to ignore the advice of its Data Protection Officer (DPO), echoing previous attempts to sideline the agency’s Fundamental Rights Officer (FRO) in the scandal over pushbacks at the Greek-Turkish border and operations at the Hungarian-Serbian border.\u2019 One of the released documents concerns the Management Board Decision of December 2021, which seeks to regulate the processing of operational personal data. Statewatch notes that \u2018following the publication of the investigation into the process of adoption, they were rescinded and are now being redrafted.\u2019 We believe that those who carry out research on Frontex, including on its data protection compliance, will find the sources very informative.<\/p>\n

Learn\u00a0more<\/strong><\/span><\/a><\/p>\n

 <\/p>\n

–\u00a0<\/a><\/strong><\/em>OECD Publishes Report on Dark Commercial Pattern<\/strong><\/a> –\u00a0<\/strong><\/p>\n

 <\/p>\n

On October 26th, the OECD made the report \u2018Dark Commercial Patterns\u2019 available<\/a>. The report builds on the recognition \u2018of the growing need to address dark commercial patterns comprehensively\u2019 and on the back of a roundtable on the topic held in November 2020. In terms of content, the report is split into six substantive sections, which discuss: i) \u2018the nature of dark patterns and issues around their definition\u2019 \u2013 including the following working definition: \u2018Dark commercial patterns are business practices employing elements of digital choice architecture, in particular in online user interfaces, that subvert or impair consumer autonomy, decision-making or choice. They often deceive, coerce or manipulate consumers and are likely to cause direct or indirect consumer detriment in various ways, though it may be difficult or impossible to measure such detriment in many instances\u2019; ii) \u2018their prevalence\u2019; iii) \u2018effects on consumer decision-making, detectability, and harms\u2019; iv) \u2018regulatory and enforcement measures\u2019; and v) \u2018educational, technical and business initiatives and tools\u2019. The report is also accompanied by a number of annexes, which include evidence of dark patterns and their consequences, examples of enforcement actions against dark patterns, and considerations of EU law which may be useful in addressing dark patterns. The report deals with a fascinating topic and will be of interest to all concerned with developments in commercial data practices.<\/p>\n

Learn more<\/strong><\/span><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

– CJEU Ruling Strengthens the Role of Consent and Right to Erasure –   On […]<\/p>\n","protected":false},"author":144,"featured_media":63122,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","dpi-category":[],"dpi-tag":[],"class_list":["post-72395","dpi","type-dpi","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72395","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi"}],"about":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/types\/dpi"}],"author":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/users\/144"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/comments?post=72395"}],"version-history":[{"count":0,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi\/72395\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media\/63122"}],"wp:attachment":[{"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/media?parent=72395"}],"wp:term":[{"taxonomy":"dpi-category","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-category?post=72395"},{"taxonomy":"dpi-tag","embeddable":true,"href":"https:\/\/www.lexxion.eu\/en\/wp-json\/wp\/v2\/dpi-tag?post=72395"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}