{"id":72400,"date":"2022-12-08T19:18:07","date_gmt":"2022-12-08T18:18:07","guid":{"rendered":"https:\/\/www.lexxion.eu\/dpi\/data-protection-insider-issue-84\/"},"modified":"2022-12-08T19:18:07","modified_gmt":"2022-12-08T18:18:07","slug":"data-protection-insider-issue-84","status":"publish","type":"dpi","link":"https:\/\/www.lexxion.eu\/en\/dpi\/data-protection-insider-issue-84\/","title":{"rendered":"Data Protection Insider, Issue 84"},"content":{"rendered":"

– CJEU Invalidates a Provision in the Anti-Money Laundering and Terrorist Financing Directive on Data Protection Grounds –\u00a0<\/strong><\/a><\/p>\n

 <\/p>\n

On 22nd November, the CJEU invalidated a provision in the Anti-Money Laundering and Terrorist Financing Directive in the Joined Cases <\/a><\/u>WM and Sovim SA v Luxembourg Business Registers<\/em><\/a>, <\/a>because it is not compatible with the EU data protection framework.<\/a><\/u> As to the facts of the case, the applicants had submitted a request with the Luxembourg Business Registers so that the information concerning the beneficial ownership of companies they owned, including the personal data of the owners, be disclosed only to those entities mentioned in Luxembourgish law, which we understand implements the EU Anti-Money Laundering and Terrorist Financing Directive. In other words, they did not want the data to be accessible to the general public, because that information could place the applicants and their families at risk. Their requests were turned down. In subsequent procedures challenging the decision, the national courts, relying on the preliminary ruling procedure, raised questions about the compliance of the provisions with the GDPR and Articles 7 and 8 CFREU. In its ruling, the CJEU noted that \u2018the general public\u2019s access to information on beneficial ownership, provided for in Article 30(5) of Directive 2015\/849 as amended, constitutes (a serious) interference with the rights guaranteed in Articles 7 and 8 of the Charter.\u2019 Following this, it first examined whether the interference complies with Article 52(1) CFREU. It noted that the Directive provides a legal basis for the interference. Second, as to the objective of general interest, the Court found that \u2018by providing for the general public\u2019s access to information on beneficial ownership, the EU legislature seeks to prevent money laundering and terrorist financing by creating, by means of increased transparency, an environment less likely to be used for those purposes.\u2019 Third, on appropriateness, necessity and proportionality, the Court ruled that the publication of the contested information is appropriate to attaining the objective of general interest. However, as to the requirement on strict necessity, the Court ruled that this was not demonstrated in casu<\/em> \u2013 e.g. because it did not accept the Commission\u2019s argument that it is difficult to define \u2018legitimate interest\u2019 in order to restrict access to those entities which have demonstrated legitimate interest in obtaining information on the beneficiaries (which was the rule with the previous version of the contested Directive). Finally, the Court established that the interference was not proportionate, inter alia<\/em>, because the Directive did not specify exhaustively which personal data may be disclosed to the general public and \u2018the regime introduced by Directive 2018\/843, providing for the general public\u2019s access to information on beneficial ownership, amounts to a considerably more serious interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter, without that increased interference being capable of being offset by any benefits which might result from the latter regime as compared against the former regime, in terms of combating money laundering and terrorist financing (\u2026).\u2019 On these grounds, the contested provision of the Directive was invalidated.<\/p>\n

Learn more<\/span><\/strong><\/span><\/a><\/p>\n

 <\/p>\n

– Political Agreement on E-Evidence Reached –<\/strong><\/a><\/p>\n

 <\/p>\n

On 29th November, a \u2018provisional political agreement\u2019 was \u2018reached\u2026by the European Parliament and the Council on the new rules for sharing of e-evidence across the EU\u2019<\/a>. The legislation in question includes: i) \u2018The Regulation on European Production and Preservation Orders\u2019 which \u2018seeks to adapt cooperation mechanisms to the digital age, giving the judiciary and law enforcement tools to address the way criminals communicate today, and to counter modern forms of criminality\u2019; and ii) \u2018The Directive on the appointment of legal representatives for the gathering of electronic evidence\u2019 which aims to harmonize \u2018rules on appointment of legal representatives or designated establishments\u2019. Moving forward, the provisional agreement \u2018will lead to the formal adoption of a Directive and a Regulation\u2026Once published in the Official Journal, the Regulation will enter into force 20 days after publication\u2026and shall enter into application three years after that. The Directive will enter into force 20 days after publication and Member States will then need to transpose the new elements of the Directive into national law within two and a half years.\u2019 According to the Commission\u2019s press release, the new legislation will \u2018ensure reliable, transparent, and swift exchange of e-Evidence with a high level of protection\u2019.<\/p>\n

Learn\u00a0more<\/strong><\/span><\/a><\/p>\n

 <\/p>\n

– German DSK Evaluation of Microsoft 365 –\u00a0<\/strong><\/a><\/p>\n

\u00a0<\/strong><\/p>\n

On 25th November, the German Datenschutzkonferenz (DSK) published a summary of an evaluation of Microsoft 365. The evaluation concerns revisions made to Microsoft\u2019s set of processor terms and conditions (\u2018\u201eDatenschutznachtrag zu den Produkten und Services von Microsoft\u201c\u2026: \u201eDatenschutznachtrag\u201c)\u2019<\/a>. The revisions in question followed an initial problematic evaluation of Microsoft 365 in 2020, and a subsequent round of discussions with a Working Group involving several German DPAs. Whilst the Datenschutznachtrag does indeed contain certain changes in relation to the points highlighted in the initial evaluation and discussed with the Working Group, the new evaluation highlights there are still outstanding issues concerning compliance with data protection law. Points discussed in the new evaluation include, for example: the \u2018Determination of the nature and purpose of processing and type of personal data\u2019; \u2018Microsoft’s own responsibility in the context of processing “for legitimate business purposes”\u2019; the \u2018Implementation of technical and organizational measures according to Art. 32 DSGVO\u2019; the \u2018Deletion and return of personal data\u2019; and \u2018Data transfers to third countries\u2019. The evaluation should be interesting for all following the Microsoft 365 saga, as well as for all interested in data protection and the operation of software giants. Unfortunately, at the time of writing, information regarding the evaluation appears to be available only in German.<\/em><\/p>\n

Learn\u00a0more<\/strong><\/span><\/a><\/p>\n

 <\/p>\n

– German DSK Provides Orientation Concerning Research with Health Data –\u00a0<\/strong><\/a><\/p>\n

 <\/p>\n

According to a press release, the German Datenschutzkonferenz (DSK) \u2018considers requirements for the scientific processing of health data at its 104th conference\u2019 \u2013 which took place between 22nd and 24th November in Bonn.<\/a> The Bundesbeauftragte f\u00fcr den Datenschutz und die Informationsfreiheit (BfDI) highlighted the importance of \u2018transparent and comprehensible rules\u2026the best legal and technical protection for data subjects\u2026advice and monitoring by\u2026data protection supervisory authorities\u2019 and \u2018legal regulation of research secrecy\u2019. Further, according to the press release: \u2018For the DSK, the basic guarantees and measures also include the issues of encryption and pseudonymization of data by a trusted body, as well as the earliest possible anonymization, as, when using anonymous data sets, researchers can make extensive use of data. A central register directory and a central coordinating body with a guiding function are also among the requirements of the DSK. Overall, the principle should apply that the more extensively and specifically data can be used, the greater the protection of the data subjects through suitable guarantees and measures.\u2019 Unfortunately, at the time of writing, information appears to be available only in German.<\/em><\/p>\n

Learn more<\/strong><\/span><\/a><\/p>\n

 <\/p>\n

– Irish DPC Fines Meta \u20ac265 million –\u00a0<\/strong><\/a><\/p>\n

\u00a0<\/strong><\/p>\n

On 25th November, the Irish DPC fined Meta Platforms \u20ac265 million for breaches of the principles of privacy by design and by default in Article 25(1) and (2) GDPR. It also ordered the data processing in question be brought into compliance with these provisions.<\/a><\/p>\n

The Irish DPC started an inquiry into Meta Platforms in the spring of 2021 on the basis \u2018of media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet. The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland Limited (\u2018MPIL\u2019) during the period between 25 May 2018 and September 2019.\u2019 The Irish DPC established deficiencies with regard to the implementation of adequate technical and organisational measures, which are required by Article 25 GDPR. The fine and the compliance order resulted after the Irish DPC \u2013 the Lead Supervisory Authority (LSA) \u2013 followed the consistency mechanism under the GDPR, in which all other European DPAs were involved.<\/p>\n

Learn more<\/strong><\/span><\/a><\/p>\n

 <\/p>\n

– EDPB Holds 72nd Plenary Meeting –\u00a0<\/strong><\/a><\/p>\n

\u00a0<\/strong><\/p>\n

On 5th December, the EDPB held its 72nd plenary Meeting<\/a>. From the Agenda of the meeting, it becomes clear that the EDPB focused on the consistency mechanism and discussed, amongst others, the following points:<\/p>\n