Data Protection Insider, Issue 65

EDPL Data Protection Insider 17.03.2022

- ECtHR Rules on Minor’s Privacy -

On 1st March, the European Court of Human Rights ruled in the case of I.V.Ț. v. Romania. In terms of the facts, the case concerned an interview with the applicant, a minor at the time, by a television news crew, following the death of a schoolmate. The interview concerned the death of the student despite the applicant not having been present at the event. The interview was conducted without parental consent. The interview was broadcast, and, as a result of the content of the interview, the applicant suffered anguish due to reactions from classmates and teachers. The applicant brought proceedings before domestic courts concerning the anguish felt and the lack of parental consent for the interview – despite this being required under national law. The higher domestic courts eventually found that the broadcast of the interview was acceptable in light of the public interest in the story and that the anguish felt did not constitute a direct result of the broadcast of the interview – but rather of unprofessional behaviour by teachers. Accordingly: ‘The applicant complained [to the ECtHR] that the national authorities had failed to protect her right to respect for her private life and in particular the right to respect for her image as provided in Article 8 of the Convention’. The Court found in favour of the applicant. The Court highlighted the positive obligations on states relevant in ensuring respect for private life, states’ need to take into account the vulnerability of minors in ensuring this protection, and the need to balance, in such cases Article 8 and Article 10 – ‘the private broadcasting company and journalists’ right to impart information as guaranteed by Article 10’. In this regard, the Court ‘referred to its case-law in which the criteria for balancing the protection of private life against freedom of expression were set out…[which] include: contribution to a debate of public interest; the degree of notoriety of the person affected; the subject of the report; the prior conduct of the person concerned; the content, form and consequences of the publication; and the circumstances in which images were taken.’ In applying these principles to the case, the Court concluded: ‘the higher domestic courts only superficially engaged in the balancing exercise between the applicant’s right to private life and company X’s freedom of expression, and this exercise was not carried out in conformity with the criteria laid down in the Court’s case-law…In the Court’s view, the above considerations – especially on the young age and the lack of notoriety of the applicant; on the little contribution that the broadcast of her interview was likely to bring to a debate of public interest and on the particular interest of a minor in the effective protection of her private life – are sufficiently strong reasons to substitute its view for that of the domestic courts…The Court finds that, given their duty to duly take into account the rights of minor children…the latter failed to strike a fair balance between the relevant interests, thus failing to comply with their positive obligations to protect the applicant’s right to respect for her private life.’

https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-215919%22]}

-EDPS Issues Opinion on the Prüm II Proposal-

 On 2nd March the EDPS issued Opinion 04/2022 on the proposed Regulation for automated data exchange for police cooperation (Prüm II). The proposed Regulation seeks to update the existing Prüm Decisions, ‘laying down the conditions and the procedures for the automated searching of DNA profiles, dactyloscopic data (fingerprints), facial images, police records and certain vehicle registration data, as well as exchange of data following a match.’ The EPDS raises the following main concerns in his Opinion, which deal, in particular, with the necessity and proportionality of the initiative: (1) the scope of the Proposal is not clear as concerns the crimes for which a query may be launched; (2) the scope of the Proposal is also not clear as to the affected data subjects – i.e. whether witnesses and victims may also be the subject of data exchanges – and it should further be clarified for which crimes and categories of individuals highly sensitive data such as DNA profiles, but also facial images, might be exchanged and what safeguards against abuse are provided; (3) the inclusion of Europol into the Prüm framework – i.e. its ability to check third country-sourced data against Member State records and vice versa; (4) the unclear responsibility in terms of data protection and the governance of cooperation; and (5) the lack of clarification regarding the fact that the data protection provisions in the Proposal should not prejudice the applicability of the LED and Regulation 2018/1725. The Opinion briefly discusses further points which might be interesting for the reader, e.g. the relationship between Prüm II and the upcoming interoperability scheme in the Area of freedom, security and justice.

https://edps.europa.eu/system/files/2022-03/22-03-07_opinion-4-2022_prum_en.pdf

-EDPS Issues Opinion on the Proposal for LEA Data Exchange-

On 7th March the EDPS issued Opinion 05/2022 on the Proposal for a Directive on information exchange between law enforcement authorities of Member States. As to the Proposal, it aims to guarantee ‘the equivalent access for any Member State’s law enforcement authorities to information available in other Member States for the purposes of preventing and detecting criminal offences, conducting criminal investigations or criminal operations, thereby overcoming currently existing rules at national level, which impede the effective and efficient flow of information’. The EDPS makes several recommendations concerning the proposal: (1) re-considering whether the GDPR is relevant as a horizontally applicable law and potentially mentioning only the LED as the applicable general law on data protection; (2) clarifying the scope of the Proposal in terms of the individuals to whom it will apply – i.e. whether it will include witnesses and victims; (3) providing for data storage limits when it comes to data storage by the prospective Single Points of Contact (SPOC) in each Member State which will be tasked with data exchange; and (4) that the Member States should decide on a case-by-case basis whether to send a copy of the data exchanged between themselves to Europol where the data concern a crime falling within Europol’s mandate in order to avoid a situation in which Europol receives excessive amounts of data.

https://edps.europa.eu/system/files/2022-03/22-03-07_opinion-5-2022-law-enforcement-authorities_en.pdf

-Italian DPA fines Clearview and Orders Data Deletion-

On 9th March, the Garante – the Italian DPA – announced a decision in its investigation into Clearview AI. The investigation concerned the tracking of ‘Italian nationals and persons located in Italy’ by the company, which ‘owns a database including over 10 billion facial images from all over the world, which are extracted from public web sources (media outlets, social media, online videos) via web scraping…[and] offers a sophisticated search service which allows, through AI systems, [the] creat[ion of] profiles on the basis of the biometric data extracted from the images.’ The Garante found several breaches of the GDPR, including that: ‘personal data held by the company, including biometric and geolocation information, were processed unlawfully without an appropriate legal basis – since the legitimate interest of the US-based company does not qualify as such’; transparency obligations were not met, as the company ‘failed to adequately inform users’; purpose limitation principles were not respected, as the company ‘processed users’ data for purposes other than those for which they had been made available online’; and storage limitation principles were not respected, as the company ‘did not set out any data storage period’. In consequence, the Gar ante ‘fined Clearview AI EUR 20 million…ordered the company to erase the data relating to individuals in Italy…banned any further collection and processing of the data through the company’s facial recognition system…[and] ordered [the company] to designate a representative in the EU to be addressed in addition to or instead of the US-based controller in order to facilitate exercise of data subject rights.’ This decision will further stoke the fires of discussion on the use, and boundaries of use, of facial recognition and AI. It will be interesting to see how other supervisory authorities receive this decision.

https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/9751323#english#

-EDPB 62nd Plenary-

On 14th March 2022, the EDPB held its 62nd plenary meeting. Amongst the topics discussed – see the link below for the full agenda – the following stand out as particularly interesting:

  • ‘Guidelines on Article 60 GDPR (Cooperation and One-Stop-Shop mechanism)’
  • ‘EDPB-EDPS Joint Opinion on Covid-19 certification Regulation extension’
  • ‘Guidelines on data protection in social media platform interfaces: practical recommendations’
  • ‘Draft toolbox on essential data protection safeguards for enforcement cooperation between EEA and third country data protection authorities’
  • ‘Amendment of the Rules of Procedure by the RoP Drafting Team concerning the notification and translation of binding decisions – request for mandate’

At the time of writing, news concerning the outcomes of the plenary was not yet available. We expect news to appear on the EDPB website in the following days.

https://edpb.europa.eu/system/files/2022-03/20220314plen1.2agenda_public.pdf

-Belgian DPA on Preliminary Data Protection Authority Law-

On 25th February, the Executive Committee of the Belgian DPA issued its ‘Opinion on preliminary draft law amending the Act of 3 December 2017 establishing the Data Protection Authority’. In principle, the Committee ‘endorses the main principles underlying the Preliminary Draft, insofar as it aims to strengthen the operation and independence of the DPA.’ The Committee then goes on, however, to highlight a number of concerns they have with the proposed law. These include: concerns that ‘European law requirements on independence [are] not guaranteed’ – including an extensive discussion on the ways in which they foresee that requirements are not guaranteed; concerns related to the ‘operation of the Executive Committee’; concerns revolving around ‘essential procedural provisions [which] belong in the law’; and concerns relating to the envisaged ‘new powers for the authorisation and advisory service’. To fully understand the content, context and consequences of the opinion, a knowledge of the Belgian situation is likely required. Nevertheless, even without such knowledge, the opinion makes interesting reading. This is true for a number of reasons, including: i) the opinion touches on the specifics of the internal structure and function of a DPA, which are not always the focus of attention; ii) the opinion highlights the significance of changes to structure and function in relation to the capacity of a DPA to fulfil its goals; and iii) the opinion deals with important issues – such as the independence of DPAs – in a way which has relevance beyond the Belgian context.

https://www.autoriteprotectiondonnees.be/publications/opinion-on-preliminary-draft-law-amending-the-act-of-3-december-2017-establishing-the-data-protection-authority.pdf
Lexxion |