|
|
Your biweekly news on EU data protection
For more in-depth analysis go to lexxion.eu/dpi
|
|
|
- CJEU Invalidates a Provision in the Anti-Money Laundering and Terrorist Financing Directive on Data Protection Grounds -
On 22nd November, the CJEU invalidated a provision in the Anti-Money Laundering and Terrorist Financing Directive in the Joined Cases WM and Sovim SA v Luxembourg Business Registers, because it is not compatible with the EU data protection framework. As to the facts of the case, the applicants had submitted a request with the Luxembourg Business Registers so that the information concerning the beneficial ownership of companies they owned, including the personal data of the owners, be disclosed only to those entities mentioned in Luxembourgish law, which we understand implements the EU Anti-Money Laundering and Terrorist Financing Directive. In other words, they did not want the data to be accessible to the general public, because that information could place the applicants and their families at risk. Their requests were turned down. In subsequent procedures challenging the decision, the national courts, relying on the preliminary ruling procedure, raised questions about the compliance of the provisions with the GDPR and Articles 7 and 8 CFREU. In its ruling, the CJEU noted that ‘the general public’s access to information on beneficial ownership, provided for in Article 30(5) of Directive 2015/849 as amended, constitutes (a serious) interference with the rights guaranteed in Articles 7 and 8 of the Charter.’ Following this, it first examined whether the interference complies with Article 52(1) CFREU. It noted that the Directive provides a legal basis for the interference. Second, as to the objective of general interest, the Court found that ‘by providing for the general public’s access to information on beneficial ownership, the EU legislature seeks to prevent money laundering and terrorist financing by creating, by means of increased transparency, an environment less likely to be used for those purposes.’ Third, on appropriateness, necessity and proportionality, the Court ruled that the publication of the contested information is appropriate to attaining the objective of general interest. However, as to the requirement on strict necessity, the Court ruled that this was not demonstrated in casu – e.g. because it did not accept the Commission’s argument that it is difficult to define ‘legitimate interest’ in order to restrict access to those entities which have demonstrated legitimate interest in obtaining information on the beneficiaries (which was the rule with the previous version of the contested Directive). Finally, the Court established that the interference was not proportionate, inter alia, because the Directive did not specify exhaustively which personal data may be disclosed to the general public and ‘the regime introduced by Directive 2018/843, providing for the general public’s access to information on beneficial ownership, amounts to a considerably more serious interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter, without that increased interference being capable of being offset by any benefits which might result from the latter regime as compared against the former regime, in terms of combating money laundering and terrorist financing (…).’ On these grounds, the contested provision of the Directive was invalidated.
|
|
|
- Political Agreement on E-Evidence Reached -
On 29th November, a ‘provisional political agreement’ was ‘reached…by the European Parliament and the Council on the new rules for sharing of e-evidence across the EU’. The legislation in question includes: i) ‘The Regulation on European Production and Preservation Orders’ which ‘seeks to adapt cooperation mechanisms to the digital age, giving the judiciary and law enforcement tools to address the way criminals communicate today, and to counter modern forms of criminality’; and ii) ‘The Directive on the appointment of legal representatives for the gathering of electronic evidence’ which aims to harmonize ‘rules on appointment of legal representatives or designated establishments’. Moving forward, the provisional agreement ‘will lead to the formal adoption of a Directive and a Regulation…Once published in the Official Journal, the Regulation will enter into force 20 days after publication…and shall enter into application three years after that. The Directive will enter into force 20 days after publication and Member States will then need to transpose the new elements of the Directive into national law within two and a half years.’ According to the Commission’s press release, the new legislation will ‘ensure reliable, transparent, and swift exchange of e-Evidence with a high level of protection’.
|
|
|
- German DSK Provides Orientation Concerning Research with Health Data -
According to a press release, the German Datenschutzkonferenz (DSK) ‘considers requirements for the scientific processing of health data at its 104th conference’ – which took place between 22nd and 24th November in Bonn. The Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) highlighted the importance of ‘transparent and comprehensible rules…the best legal and technical protection for data subjects…advice and monitoring by…data protection supervisory authorities’ and ‘legal regulation of research secrecy’. Further, according to the press release: ‘For the DSK, the basic guarantees and measures also include the issues of encryption and pseudonymization of data by a trusted body, as well as the earliest possible anonymization, as, when using anonymous data sets, researchers can make extensive use of data. A central register directory and a central coordinating body with a guiding function are also among the requirements of the DSK. Overall, the principle should apply that the more extensively and specifically data can be used, the greater the protection of the data subjects through suitable guarantees and measures.’ Unfortunately, at the time of writing, information appears to be available only in German.
|
|
|
- EDPB Holds 72nd Plenary Meeting -
On 5th December, the EDPB held its 72nd plenary Meeting. From the Agenda of the meeting, it becomes clear that the EDPB focused on the consistency mechanism and discussed, amongst others, the following points:
- ‘Decision on the dispute arisen on the draft decision of the Irish Supervisory Authority on Meta Platforms Ireland Limited and its Facebook service ( Art. 65(1)(a) GDPR)’;
- ‘Decision on the dispute arisen on the draft decision of the Irish Supervisory Authority on Meta Platforms Ireland Limited and its Instagram service (Art. 65(1)(a) GDPR)’;
- ‘Decision on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland Limited (Art. 65(1)(a) GDPR)’.
|
|
|
|
|
Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.
|
|
|
|
|
Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.
|
|
|
Never miss a DPI again !
In our online library you can always have a second look on all Data Protection Insider Issues already been published.
|
|
|
We sincerely apologize if you find this email an intrusion of your privacy or a source of inconvenience to you.
If you would like to unsubscribe from the newsletter service, please send an E-Mail to [email protected]
|
|
|
|
