EDPL Data Protection Insider 31.03.22

- The CJEU Clarifies the Judicial Capacity Exemption in the GDPR -

On 24^th March, the CJEU ruled on the scope of the judicial capacity exemption as concerns DPA supervision in the case of X, Z v Autoriteit Persoonsgegevens. As to the facts of the case, the first applicant (X) was a party to a court case, as represented by Z. They discovered that materials relevant to the case, including their personal data, had been disclosed to a journalist covering the case without their knowledge and consent. The applicants requested that the Dutch DPA enforce the GDPR in relation to the said disclosure. The DPA responded that it was not competent to take enforcement measures in relation to courts when these act in their judicial capacity. The applicants challenged the decision in court, arguing that the disclosure to journalists does not form part of the judicial activities of courts. The national court asked the CJEU to clarify the scope of the notion of ‘acting in their judicial capacity’ and the restriction on DPA supervision in relation to courts (Article 55(3) GDPR). The CJEU offered a broad interpretation of the notion of courts ‘acting in their judicial capacity’, which ‘must be understood, in the context of that regulation, as not being limited to the processing of personal data carried out by courts in specific cases, but as referring, more broadly, to all processing operations carried out by courts in the course of their judicial activity, such that those processing operations whose supervision by the supervisory authority would be likely, whether directly or indirectly, to have an influence on the independence of their members or to weigh on their decisions are excluded from that authority’s competence.’ Applying this reasoning, the Court concluded that the supervision by the DPA over the legality of the disclosure of court materials to a journalist is likely to interfere with judicial independence. Therefore, the exemption in Article 55(3) GDPR applies. The Court recalled that this conclusion is without prejudice to the compliance of court activities with the GDPR. We note that the CJEU seems to have closely followed the Opinion of AG Bobek of 6^th October 2021.

https://curia.europa.eu/juris/document/document.jsf;jsessionid=2B42FF0ED3082FB385749D5500AA1AF1text=&docid=256461&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=1197171

- Political Agreement Reached on Digital Markets Act -

 On 24^th March, ‘[t]he Council and the Parliament reached a provisional political agreement on the Digital Markets Act (DMA), which aims to make the digital sector fairer and more competitive’. According to the Council: ‘Final technical work will make it possible to finalise the text in the coming days’. In particular, the Act lays out rules for large platforms which acts as ‘gatekeepers’ In this regard: ‘[the Act] aims to ensure that no large online platform that acts as a ‘gatekeeper’ for a large number of users abuses its position to the detriment of companies wishing to access such users’. Gatekeepers which violate the terms of the Act take the risk of ‘a fine of up to 10% of…total worldwide turnover…[and repeat offenders risk] a fine of up to 20% of…worldwide turnover.’ The provisional agreement is now subject to final agreement by the Council and Parliament. The Act is highly significant for the development of the digital society and should be of significant interest to the data protection community.

 https://www.consilium.europa.eu/en/press/press-releases/2022/03/25/council-and-european-parliament-reach-agreement-on-the-digital-markets-act/

- EDPB Adopts Guidelines on Dark Patterns in Social Media Platform Interfaces -

On 14^th March, the EDPB adopted ‘Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them’. The EDPB defines dark patterns as ‘interfaces and user experiences implemented on social media platforms that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data.’ The Guidelines contain practical recommendations about how social media should comply with the GDPR in order to avoid dark patterns, in particular when it comes to the general principles in Article 5 GDPR, the accountability of the controller, data subject rights and data protection by default. The Guidelines are thus addressed primarily to social media operators, but are also addressed to the users of social media. The Guidelines cover data processing from the creation of a social media account until its deletion by the user. The Guidelines focus on the following six dark patterns: overloading, skipping, stirring, hindering, fickle and left in the dark. They provide examples of each of these categories along with recommendations of how to ensure that social media should comply with the GDPR when designing functionalities. The EDPB clarify that this list is not exhaustive and that social media operators should also avoid any other dark patterns. The Guidelines are open to public consultation until 2^nd May 2022.

https://edpb.europa.eu/system/files/2022-03/edpb_03-2022_guidelines_on_dark_patterns_in_social_media_platform_interfaces_en.pdf

- EDPB and EDPS Opinion on EU Digital Covid Certificate Regulation-

On 14^th March, the EDPB and EDPS released their joint Opinion ‘1/2022 on the Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) 2021/953 on a framework for the issuance, verification and acceptance of interoperable COVID-19 vaccination, test and recovery certificates (EU Digital COVID Certificate) to facilitate free movement during the COVID19 pandemic’. The EDPB and EDPS ‘note that the Proposals seek to extend the application of Regulation 2021/953 (EU Digital COVID Certificate) and, by extension, of Regulation 2021/954 by 12 months, as well as prolong for the same time the power of the Commission to adopt delegated acts pursuant to Regulation (EU) 2021/953’ as well as to ‘amend certain provisions of the Regulation’. In this regard, the EDPB and EDPS make certain general comments on the Proposal. For example, they assert that they ‘understand the need to extend the applicability of the Regulation’ whilst also considering that restrictions on free movement ‘put in place to limit the spread of SARS-CoV-2, including the requirement to present EU Digital COVID Certificates, should be lifted as soon as the epidemiological situation allows’. The EDPB and EDPS then go on to make a series of more specific comments. These encompass comments concerning: ‘[the l]ack of an evidential basis for the assessment of the necessity and proportionality of the Proposal’ – including a discussion of the lack of an impact assessment; and ‘[the m]odifications to current data fields’. The Opinion is short, at 8 pages. The Opinion will likely be most interesting for those tracking the details of COVID related developments regarding data protection in the EU.

https://edpb.europa.eu/system/files/2022-03/edpb-edps_1-2022_joint_opinion_on_extension_of_covid_certification_regulation_en.pdf

-The Irish DPC Imposes a €17 Million Fine on Meta-

On 15^th March, the Irish DPC fined Meta €17 Million for several GDPR violations. As to the facts of the case, in the second half of 2018, Meta notified the Irish DPC of 12 data breaches. Based on these, the Irish DPC conducted an investigation on its own motion about Meta’s compliance with the principles of data security as provided for in Articles 5 (1)(f), 5(2), 24(1) and 32(1) GDPR. The Irish DPC concluded that Meta had not implemented adequate technical and organisation measures to ensure compliance with the GDPR: ‘While the DPC found that the information and supporting documentary evidence provided by Meta Platforms during the course of the inquiry could be considered analogous to industry best practice and the state of the art, Meta Platforms failed to have in place appropriate technical and organisational measures such as would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data’. Thus, it established that Meta had violated Article 5(2) GDPR and Article 24(1) – although the imposed fine relates to the infringement of Article 5(2) GDPR.

https://edpb.europa.eu/news/national-news/2022/irish-sa-fines-meta-platforms-formerly-facebook-eu17m-data-breaches_en

-CNIL Publishes 2022-2024 Strategic Plan-

On 14^th March, CNIL announced its 2022-2024 strategic plan. As a background, the CNIL recognises that: ‘the increasing digitisation of economic and social life as well as the pandemic have increased the risks to privacy. Furthermore, the omnipresence of major digital services raises new regulatory issues. In this context, personal data is, more than ever, the common thread of our digital daily life. Faced with these findings, it is essential that the GDPR, through European cooperation between authorities, leads to full compliance of organisations, actual respect for individuals’ rights and a level playing field between economic players.’ Accordingly, the CNIL’s plan will be structured ‘around three key themes for a trusted digital society: promoting respect for rights, promoting the GDPR as an asset and targeting regulation for high-stake issues.’ In relation to the first theme, the CNIL observes it will, ‘[work] to promote the exercise of individuals’ rights’. In relation to the second theme, the CNIL highlights it will ‘in particular, strengthen its offer of support by making it easier to understand the legal framework, developing compliance tools and helping to protect against cyber risks’. In relation to the third theme, the CNIL notes it will, ‘implement a global action plan covering three key themes’ – including ‘[s]mart cameras and their uses’, ‘[d]ata transfers in the cloud’ and ‘[c]ollection of personal data in smartphone applications’.

https://www.cnil.fr/en/cnil-publishes-its-2022-2024-strategic-plan