Lexxion

Data Protection Insider, Issue 63

EDPL Data Protection Insider 17.02.2022

-EDPB Adopts Opinion on Luxemburg DPA’s Draft Certification Criteria-

On 1^st February, the EDPB adopted ‘Opinion 1/2022on the draft decision of the Luxembourg

Supervisory Authority regarding the GDPR – CARPA certification criteria’. The criteria were drafted by the Luxemburg DPA under Article 42(5) of the GDPR and were submitted to the EDPB for an Opinion according to Article 64(1)(c) of the GDPR. The certification criteria do not correspond to criteria ‘according to article 46(2)(f) of the GDPR meant for international transfers of personal data and therefore does not provide appropriate safeguards within the framework of transfers of personal data to third countries or international organisations.’ The EDPB conducted its evaluation in accordance with Annex 2 of its ‘Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation’. The evaluation is extensive and includes sections on: ‘General remarks’; ‘Scope of the certification mechanism and Target of Evaluation (ToE)’; ‘Procedure to determine a Target of Evaluation (ToE)’; ‘Certification criteria’; ‘Lawfulness of Processing’; ‘Principles of Article 5’; ‘General Obligations for Controllers and Processors’; ‘Rights of data subjects’; and ‘Risks for the rights and freedoms of natural persons and technical and organisational measures guaranteeing protection’. The EDPB concludes that: ‘the GDPR – CARPA certification criteria may lead to an inconsistent application of the GDPR and provide an extensive list of ‘changes [which] need to be made in order to fulfill the requirements imposed by Article 42 of the GDPR in light of the Guidelines and the Addendum’ – referring to the Guidelines mentioned above and to the document ‘Guidance on certification criteria assessment (Addendum to Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation)’. It is interesting to see EDPB evaluation procedures used in practice and the Opinion is worth a read for all engaged with certification criteria.

https://edpb.europa.eu/system/files/2022-02/opinion_01-2022_gdpr-carpa_certification_criteria_en.pdf

-Conseil d’Etat Confirms Cookie Fine Against Google-

On 28^th January, the Conseil d’Etat upheld the €100 million fine imposed on Google LLC and Google Ireland Limited by the CNIL in December 2020. The fine concerns the placing of cookies on users’ devices without their consent, without having provided them with sufficient information and without giving them the opportunity to refuse the cookies. The cookies remained active even if individuals turned off the personalized ads functionality. The CNIL concluded that this breaches the French provisions implementing the e-Privacy Directive. In other words, it argued that the provisions on the GDPR concerning DPA competence – including the ones on the one-stop-shop principle – are not applicable. Thus, the CNIL concluded that it was competent to examine the case and not to forward it to the Irish DPC, which is the lead competent authority under the one-stop-shop principle. The Conseil d’Etat confirmed the CNIL’s arguments and the fine. The Conseil d’Etat did not consider it necessary to ask the CJEU if the one-stop-shop principle indeed does not apply in the case. It also considered that the imposed fine is proportionate.

https://www.cnil.fr/fr/cookies-le-conseil-detat-valide-la-sanction-de-2020-prononcee-par-la-cnil-contre-google

-Google Analytics Declared Illegal in France and Austria-

NOYB had previously filed 101 complaints with all the EU and EEA Data Protection Authorities (DPAs), claiming that the usage of Google Analytics does not comply with the CJEU’s ruling on data transfers and which resulted in the striking down of Privacy Shield. The tool is used mainly to analyse the traffic through websites. Now, both the CNIL and the Austrian DPA have declared that the transfer of personal data to the US in the framework of the Google Analytics tool, as used by European websites, infringes the GDPR. This is mainly due to the fact that the once the data are transferred to the US, they might land in the hands of US intelligence authorities and the safeguards on the basis of which the data transfers take place cannot ensure that these authorities will not get hold of the transferred personal data. Following the establishment of infringement, the CNIL has ordered the concerned French website to stop using Google Analytics and has suggested the website could use another, GDPR-compliant tool. In the case of Austria, since the concerned website has merged with a German entity, a common enforcement action with the responsible German DPA is expected. According to NOYB, further similar decisions in relation to the remaining complaints and other websites are expected by the other DPAs, since all the addressed DPAs have collaborated in analysing the problem in the framework of the EDPB.

https://noyb.eu/en/update-cnil-decides-eu-us-data-transfer-google-analytics-illegal

- Slovenia’s Breaches of the GDPR on the Commission’s Radar-

On 9^th February, the European Commission sent Slovenia a letter of formal notice concerning the fact that Slovenia has not adopted national data protection provisions pursuant to the GDPR, even though the latter has been applicable since May 2018. More precisely, Slovenian law still does not enable the Data Protection Commission to exercise all the corrective powers provided for in the GDPR and thus to ensure the enforcement of GDPR provisions in Slovenia. The letter sent to Slovenia also refers to Slovenia ‘failing to fulfil its notification obligations under the General Data Protection Regulation (GDPR)’, although it is not clear which notification obligations are meant. Now Slovenia has two months to respond the Commission’s letter. If the Commission is not satisfied with the response, i.e. if it believes the Slovenia continues to infringe the GDPR, it may send Slovenia a reasoned opinion.

https://ec.europa.eu/commission/presscorner/detail/en/inf_22_601

- Commission Publishes Study on Data Flows-

On 3^rd February, the European Commission published the ‘Study on Mapping Data Flows

Final Report’. The study ‘which is part of the European Commission initiative ‘The European Data Flow Monitoring’, provides an innovative and replicable methodology to estimate and monitor the volume and types of data flows within the EU, EFTA countries and the UK…[and] provides the tools for a continuous analysis of data flows and the economic development of the EU’s data processing sector’. In this regard: ‘It can be used in future to monitor data flow trends across and within the European Union to provide evidence in support of EU policy, trade and investment decisions.’ In terms of content, the study ‘provides a holistic approach and an integrated view of enterprise data flowing to cloud data centres and edge centres within the EU; between the EU and the UK; and between EU and EFTA’. The study is long – at 112 pages excluding Annexes – and does not solely concern flows of personal data. Yet, the mapping provides granularity to the abstract concept of ‘data flows’ and the study contains a great quantity of data and many thought-provoking observations and predictions. In relation to flows of personal data, for example, the study observes that: ‘Concerning data types, 41 per cent of the total data stored in cloud infrastructure is personal data and 59 per cent is non-personal data. Of these 41 per cent of personal data, 11 per cent is generated by a user/individual.’

https://digital-strategy.ec.europa.eu/en/library/study-mapping-data-flows

- AEPD Issues 3,000,000 Million Euro Fine for Failure to Obtain Legitimate Consent-

As reported by the EDPB, the AEPD – the Spanish DPA – has issued a ‘fine of EUR 3,000,000 to CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. for lack of specific and informed consent regarding profiling for commercial purposes’. The entity fined functions as a payment institution. In this context, the entity creates profiles for the purposes of risk assessment and ‘[s]election of target audience’. Consent for these activities was requested only in general terms. In this regard ‘the interested party is provided only with generic information on the different profiling treatments and with this information the interested party is not able to know exactly what [they are] consenting to. Nor is there any provision for the person concerned to express his or her choice on all purposes for which the data are processed’. Accordingly, the EDPB report that the fine was issued ‘for lack of specific and informed consent regarding profiling for commercial purposes [and] the controller [was ordered] to bring processing operations into compliance with the provisions of the GDPR within six months of [the] decision.’

https://edpb.europa.eu/news/national-news/2022/aepd-fine-eur-3000000-caixabank-payments-consumer-efc-ep-sau-lack-specific_en