<\/p>\n
\u00a0–\u00a0<\/a>The CJEU: Controllers Should Disclose the Full List of Recipients as a Rule<\/a>\u00a0<\/strong>–\u00a0<\/strong><\/a><\/p>\n <\/p>\n On 12th January, the CJEU ruled on whether controllers may choose to restrict the information about recipients only to the\u00a0categories of recipients<\/em>\u00a0of personal data when responding to data subject access requests in the case of\u00a0RW v \u00d6sterreichische Post\u00a0<\/em>AG. As to the facts of the case, the applicant in the main proceedings had requested \u00d6sterreichische Post AG to disclose the full list of recipients to which their personal data had been disclosed. The postal service restricted its answer only to the categories of recipients, relying on the wording of Article 15(1)(c) GDPR, which provides that the controller shall disclose \u2018the recipients or categories of recipient to whom the personal data have been or will be disclosed\u2019. Thus, the question arose whether the controller is actually obliged to disclose the full list of recipients under the right of access in the GDPR.\u00a0The CJEU largely followed the AG Opinion, which we discussed previously in our newsletter, and gave a broad interpretation on the right of access to one\u2019s data to include the disclosure of the full list of recipients as a rule. It presented the following five arguments to support its ruling<\/a>. First, the clarifying Recital 63 GDPR does not mention that the right of access should be restricted to the categories of recipients. Second, the provisions on the right of access should be read in light of Article 5 GDPR, which contains the principle of transparency. For the latter to be fulfilled, the full list of recipients should be disclosed. Third, it referred to the AG Opinion, pursuant to which the requesting individual should be able to choose whether they are satisfied only with information about the categories of recipients or whether they wish to know the exact identity of these recipients. Fourth, where the data have already been disclosed to concrete recipients, their identity should be disclosed, so that the concerned data subject may check whether the recipients have a legal basis for the processing of their data and may exercise their rights of rectification, erasure, restriction of processing, to object to processing, and to effective remedies against the controller or processor and compensation. Fifth, having the full list of recipients can be derived from the controller\u2019s obligations in Article 19 GDPR to inform the recipients of the data of any erasure, rectification, etc, requests and to inform the data subject of these recipients where the data subject so requests. Finally, the CJEU clarified that the controller may restrict the provision of the full list of recipients where either not all recipients have been determined or identified yet, or where the controller demonstrates that the request is excessive or manifestly ill-founded (Article 12 (5) GDPR).<\/p>\n Learn more<\/span><\/strong><\/span><\/a><\/p>\n <\/p>\n –\u00a0<\/strong><\/a>CJEU Rules on Relationship between Public and Private Remedies<\/a>\u00a0<\/strong>–<\/strong><\/a><\/p>\n <\/p>\n On 12th January the CJEU ruled in the case of\u00a0<\/a>BE v Nemzeti Adatv\u00e9delmi \u00e9s Inform\u00e1ci\u00f3szabads\u00e1g Hat\u00f3s\u00e1g<\/a>.<\/em>\u00a0The case concerned the efforts of BE to obtain copies of certain audio recordings which include responses to questions BE posed at a shareholder meeting. In this regard, BE started various proceedings before various legal fora \u2013 including a complaint to the data protection supervisory authority, an appeal against the negative decision of the supervisory authority before the referring court, and a parallel civil procedure against the controller. In this regard, the referring court posed the following three questions to the CJEU:<\/p>\n <\/p>\n 1.\u00a0 Does \u2018the administrative appeal provided\u2026in Article 77\u2019 of the GDPR \u2018constitute\u2026an instrument for the exercise of public rights, whereas the legal action\u2026in Article 79\u2019 of the GDPR \u2018an instrument for the exercise of private rights? If so, does\u2026the supervisory authority, which is responsible for hearing and determining administrative appeals\u2019 have \u2018priority competence to determine the existence of an infringement?\u2019<\/p>\n 2.\u00a0 \u00a0If \u2018the data subject\u2026simultaneously exercises his right to lodge a complaint under Article 77(1)\u2026and his right to bring a legal action under Article 79(1)\u2019 does Article 47 of the Charter mean \u2018the supervisory authority and the court have an obligation to examine the existence of an infringement independently\u2019 or \u2018that the supervisory authority\u2019s decision takes priority\u2026regard being had to the powers provided for in\u2019 the GDPR?<\/p>\n 3.\u00a0 \u2018Must the independence of the supervisory authority\u2019 mean the authority, in relation to \u2018proceedings under Article 77, is independent of whatever ruling may be given by final judgment by the court having jurisdiction under Article 79\u2019?<\/p>\n <\/p>\n In relation to these questions, the CJEU decided: \u2018Article 77(1), Article 78(1) and Article 79(1)\u2026read in the light of Article 47 of the Charter\u2026must be interpreted as permitting the remedies\u2019 in the Articles in question \u2018to be exercised concurrently with and independently of each other.\u2019 The Court also ruled, however, that: \u2018It is for the Member States, in accordance with the principle of procedural autonomy, to lay down detailed rules as regards the relationship between those remedies in order to ensure the effective protection of the rights guaranteed\u2026and the consistent and homogeneous application of\u2026provisions, as well as the right to an effective remedy before a court or tribunal as referred to in Article 47.\u2019 Whilst the issue dealt with in the case may seem of a rather technical nature, we note that it touches on a fascinating and important, yet seldom discussed, issue in data protection law: the relationships between the various legal fora capable of producing decisions concerning data protection law, and between the content of the decisions they may produce.<\/p>\n Learn\u00a0more<\/strong><\/span><\/a><\/p>\n <\/p>\n –\u00a0<\/strong><\/a>Irish DPC Adopts Decisions on Facebook and Instagram<\/strong><\/a>\u00a0–<\/strong>\u00a0<\/strong><\/a><\/p>\n \u00a0<\/strong><\/p>\n On 12th January, the EDPB announced that, on the back of \u2018the EDPB\u2019s binding dispute resolution decisions of 5 December 2022, the Irish Data Protection Authority (IE DPA) has adopted its decisions regarding Facebook and Instagram (Meta Platforms Ireland Limited, \u2018Meta IE\u2019)<\/a>.\u2019 In terms of size, \u2018Meta IE was fined \u20ac210 million in the Facebook decision and \u20ac180 million in the Instagram decision\u2019. The EDPB note that the \u2018decisions are the result of complaint-based inquiries into Facebook\u2019s and Instagram\u2019s activities in particular concerning the lawfulness and transparency of processing for behavioural advertising.\u2019 The EDPB\u2019s decisions of 5th December altered the prior approach adopted by the Irish Data Protection Authority in a number of ways, including, for example: requiring \u2018the IE DPA to include in both final decisions a finding of infringement of the principle of fairness\u2019; requiring \u2018that the IE DPA must carry out a new investigation\u2019 concerning the processing of \u2018sensitive data\u2026by Meta IE\u2019; and requiring that \u2018the IE DPA\u2026include, in its final decisions, an order for Meta IE to bring its processing of personal data for behavioural advertising in the context of the Facebook and Instagram services into compliance with Art. 6(1) GDPR within three months\u2019. Significantly, the EDPB\u2019s deliberations and decisions led to increases in the size of fines \u2013 from \u2018a maximum of \u20ac36 and \u20ac23 million for the Facebook and Instagram draft decisions, to \u20ac210 million and \u20ac180 million in the final decisions respectively\u2019.<\/p>\n Learn\u00a0more<\/strong><\/span><\/a><\/p>\n <\/p>\n –\u00a0<\/a><\/strong>The CNIL Imposes Large Fines on Microsoft and Apple<\/a>\u00a0<\/strong>–\u00a0<\/a><\/strong><\/p>\n <\/p>\n On 19 and 29th December 2022, the CNIL fined Microsoft and Apple \u20ac 60 and \u20ac8 million, respectively<\/a>. The Microsoft fine concerns the use of cookies on the \u2018bing.com\u2019 website, which, according to the CNIL, breaches the French Data Protection Act, because \u2018when users visited this site, cookies were deposited on their terminal without their consent, while these cookies were used, among others, for advertising purposes. It also observed that there was no button allowing to refuse the deposit of cookies as easily as accepting it.\u2019 In addition to the monetary fine, the CNIL imposed a compliance order \u2018requiring that the company collects, on the website “bing.com”, the consent of individuals residing in France, within three months, before depositing cookies and tracers with advertising purposes on their terminal. Otherwise, the company may pay a penalty of 60,000 euros per day overdue.\u2019 The Apple fine also concerns the lack of valid consent \u2018under the old version 14.6 of the operating system of the iPhone\u2019. Thus, \u2018when a user visited the App Store, identifiers used for several purposes, including personalization of ads on the App Store, were by default automatically read on the terminal without obtaining consent\u2019 and \u2018the user had to perform a large number of actions in order to deactivate this setting\u2019. As the CNIL reports, the fines are based on breaches of the French implementation of the e-Privacy Directive, in which case the one-stop-shop mechanism under the GDPR does not apply and thus the CNIL is materially competent. The CNIL also notes that it is territorially competent to impose the fines, because the use of the Microsoft cookies and the Apple identifiers \u2018is carried out within the “framework of the activities”\u2019 of \u2018APPLE RETAIL FRANCE and APPLE FRANCE\u2019 and \u2018MICROSOFT FRANCE,\u2019 \u2018which constitutes the “establishment” on French territory of\u2019 the Microsoft and Apple groups, respectively.<\/p>\n Learn more<\/strong><\/span><\/a><\/p>\n <\/p>\n –<\/a>\u00a0EDPS Issues Opinion on \u2018Secure instant payments for individuals in the EU\u2019<\/strong><\/a>–\u00a0<\/strong><\/a><\/p>\n \u00a0<\/strong><\/p>\n On 19th December 2022, the EDPS issued Opinion 27\/2022 on the proposed Regulation concerning \u2018secure instant payments for individuals in the EU.\u2019<\/a>\u00a0The proposed Regulation seeks to address \u2018the high rate of rejected instant payments due to the misidentification of individuals.\u2019 In his Opinion, the EDPS notes two provisions in the proposal which have positive effects from a data protection point of view: (1) the payee identity verification procedure, which gives more security to the payer and can help them decide whether to authorise the payment, and out of which procedure the payer may opt in and out, and (2) the new measure for \u2018verifying periodically payers\u2019 information against information in EU sanctions lists, instead of verifying this information for each transaction.\u2019<\/p>\n Learn more<\/strong><\/span><\/a><\/p>\n <\/p>\n –<\/strong><\/a>\u00a0<\/strong>EDPB holds 74th Plenary Meeting<\/a>\u00a0<\/strong>–\u00a0<\/strong><\/a><\/p>\n