- Cyberbullying as a Form of Domestic Violence -

On 11th February, the ECtHR ruled on the Buturuga case concerning cyberbullying. In 2013, Ms Buturuga complained to Romanian authorities about domestic violence. In 2014, she then complained of a breach of confidentiality of correspondence. She claimed her ex-husband had illegally accessed her social media accounts – e.g. Facebook – and had copied information from them. However, the prosecutor’s office decided to discontinue the investigation into the latter complaint. The domestic courts ruled, on appeal, that the data from the social media accounts was public and had no connection to the domestic violence claims. Against this background, the applicant alleged the failure of the domestic courts to examine, on merit, complaints of cyberbullying linked to complaints about domestic violence, constituted an interference of Articles 3 and 8. In its ruling the ECtHR agreed and found a violation of both Articles. In this regard, the ECtHR emphasized two points. First, cyberbullying is already recognised as an aspect of violence against women and girls. Second, cyberbullying has a broad scope and can include breaches of privacy, intrusion into the victim’s computer and the capture, sharing and manipulation of data and images, including private data. Two observations arising from the case stand out. First, the case highlights that certain domestic courts and investigatory authorities remain problematically underinformed about privacy issues – particularly information privacy issues. Second, the ECtHR has sent a clear message that cyberbullying can be examined as an aspect of (domestic) violence against women and girls.

https://hudoc.echr.coe.int/app/conversion/pdf?library=ECHR&id=003-6635916-8811383&filename=Judgment%20Buturuga%20v.%20Romania%20-%20allegations%20of%20domestic%20violence%20and%20cyberbullying.pdf

- ECtHR on the Retention of DNA Profiles, Fingerprints and Photographs -

On 13th February, the ECtHR ruled on the case of Gaughran v. The United Kingdom. The facts of the case were as follows: the applicant was arrested and convicted for drunk driving in Northern Ireland. In the course of his arrest and conviction, a range of personal data was taken from him, including: his DNA, from which a DNA profile was created; his fingerprints; and a photograph. This personal data was then retained for an indefinite period under national legislation. The applicant alleged that the indefinite retention of this data constituted a disproportionate interference with his Article 8 right to respect for private life. The Court unanimously ruled an interference had taken place. In this regard, the Court reasoned that ‘the indiscriminate nature of the powers of retention of the DNA profile, fingerprints and photograph of…[a] person convicted of an offence, even if spent, without reference to the seriousness of the offence or the need for indefinite retention and in the absence of any real possibility of review, failed to strike a fair balance between the competing public and private interests.’ The case is interesting for several reasons. Two deserve mention. First, the Court highlighted the unique post-mortem, familial, privacy interests engaged by DNA profiles. Specifically, the Court highlighted that an indefinite DNA profile retention scheme was not comparable to an indefinite fingerprint or an indefinite photo retention scheme as DNA profiles could allow information on genetic relatives to be extracted and processed long after an initial donor had died. Second, the Court highlighted the significance of facial recognition technologies as transformative of the degree of interference with fundamental rights implied by the retention of photographs.

https://hudoc.echr.coe.int/eng#%7B%22article%22:%5B%228%22%5D,%22documentcollectionid2%22:%5B%22GRANDCHAMBER%22,%22CHAMBER%22%5D,%22itemid%22:%5B%22001-200817%22%5D%7D

- ECtHR on the Retention of DNA Profiles (Again) -

On 13th February, the ECtHR ruled on the case of Trajkovski and Chipovski v. North Macedonia. The facts of the case were as follows: in the course of their arrest and conviction for theft, the two applicants had DNA samples extracted from them. The DNA profiles created from these DNA samples were then retained by national law enforcement authorities. The applicants alleged the extraction and retention of, respectively, their DNA samples and DNA profiles, constituted an infringement of their Article 8 rights to respect for private life. In particular, they applicants alleged there was no clear legislative framework governing such extraction and retention in North Macedonia. The Court unanimously found an interference had taken place. In this regard, the Court argued that: ‘the blanket and indiscriminate nature of the powers of retention of the DNA profiles of the applicants, as persons convicted of an offence, coupled with the absence of sufficient safeguards available to the applicants, fails to strike a fair balance between the competing public and private interests.’ The case is less interesting than the similar case of Gaughran v. The United Kingdom (discussed above). The legal logic sticks closely to established principles in ECtHR case law and the facts of the case are such that the finding is unsurprising. Nevertheless, there are noteworthy aspects of the ruling. In particular, the Court asserted that ‘DNA material’ constitute personal data – reiterating their position in the Marper case. This assertion adds further legal weight to the argument that DNA samples and other biological material should be regarded as personal data in EU data protection law.

https://hudoc.echr.coe.int/eng#%7B%22article%22:%5B%228%22%5D,%22documentcollectionid2%22:%5B%22GRANDCHAMBER%22,%22CHAMBER%22%5D,%22itemid%22:%5B%22001-200816%22%5D%7D

- ECtHR on Lawyer-Client Confidentiality -

On 4th February, the ECtHR ruled in the Krugov and others case concerning police searches of lawyers’ homes and offices. The fifteen applicants were lawyers and clients of the applicant lawyers. Of the lawyers, only one was under suspicion of having committed a criminal offence. The applicants’ alleged that the search warrants and/or the way the searches had been carried out were illegitimate and constituted a violation of their Article 8 rights. The ECtHR concurred and found a violation. The ECtHR asserted that the warrants and searches had an overly broad scope and that the domestic courts which had permitted them had failed to strike the right balance between the need for confidentiality in lawyer-client relationships and the need to investigate crime. In particular, the ECtHR highlighted that adequate safeguards to protect lawyer-client confidentiality were missing from the warrants and searches. For example, there was no sifting of data carried out to make sure investigating authorities did not obtain data unrelated to the cases being investigated. The reasoning of the ECtHR in the case was notable for several reasons. Two stand out. First, although the ECtHR asserted that Russian law complied with the “in accordance with the law” criterion, the ECtHR also highlighted – in somewhat contradictory manner – that Russian law did not protect all types of professional confidentiality. Second, as the ECtHR pointed out on several occasions throughout the judgment, the domestic authorities failed to perform adequate necessity and proportionality assessments. This observation is unusual for a case concerning Article 8 and Russia. In other such cases, the ECtHR has tended to focus on the “in accordance with the law” requirement and has refrained from looking at the necessity and proportionality of measures.

https://hudoc.echr.coe.int/eng#%7B%22itemid%22:%5B%22001-200719%22%5D%7D

- EDPB Draft Guidelines on Connected Vehicles -

On 7th February, the EDPB published its draft Guidelines on Connected Vehicles and Mobility Related Applications. The draft Guidelines are welcome in dealing with an issue which is gaining in prominence and significance, as more and more types of vehicle integrate personal data processing systems. The draft Guidelines are also welcome in their holistic description of the data protection principles which are relevant in relation to connected vehicles and in how these principles might be discharged. With such a holistic approach, however, comes the natural downside that the depth of consideration of each provision is limited. For example, the Guidelines place a heavy emphasis on the need for data controllers to obtain consent from data subjects for processing in connected vehicle applications – according to Article 5(3) of the ePrivacy Directive. Yet, the Guidelines fail to provide any in-depth look at how consent might effectively be requested and obtained. Several aspects of the Guidelines are of interest. Two deserve mention. First, the Guidelines are directed at, amongst others, manufacturers. On the one hand, this makes sense as manufacturers are key players in setting the data processing parameters of connected vehicles and mobility related applications. On the other hand, however, recall that EU data protection law has never directly applied to manufacturers. Second, the Guidelines suggest that, if initial processing is legitimated based on consent, further processing, even if not foreseen at the moment consent has been obtained, cannot be legitimated based on compatibility under Article 6(4) GDPR. This is a novel conceptualisation of the limits of compatible secondary processing not found in law. The draft Guidelines are now open for public consultation. The consultation process will run until the 20th March 2020.

https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_202001_connectedvehicles.pdf

- Irish DPC Opens Probes into Google and Tinder -

The Irish DPC has opened fresh probes into Google and Tinder. The investigation against Google concerns the processing of location data and the transparency of this processing. The probe follows complaints by national consumer organisations lodged at the end of 2018. The investigation against Tinder concerns the transparency of the processing of users’ data and the handling of users’ requests to exercise data subject rights. The Irish DPC pointed out that the latter investigation is not a response to any one complaint. Rather, the investigation was sparked by numerous similar complaints. The Irish DPC are to be applauded for taking the issue of transparency and data subjects’ rights on platforms so seriously – even if the launch of the investigations took more than a year. The launch of the investigations is significant for several reasons. Two stand out. First: the investigations will likely result in the elaboration of specific principles concerning data subject transparency on platforms. Second: the investigations will likely result in clearer elaborations of how apps should realise users’ data subject rights. In this regard, the investigations may provide a forum through which to clarify whether platforms are required to disclose the mechanics of their profiling algorithms to users.

https://www.politico.eu/article/ireland-launches-fresh-probes-into-google-and-tinder/

Recommend this newsletter. If you were forwarded this email, subscribe here https://dev.lexxion.eu/en/newsletter/

Lexxion Verlagsgesellschaft mbH
Güntzelstr. 63
10717 Berlin
Deutschland

+49-(0)30-814506-0

https://dev.lexxion.eu

We sincerely apologize if you find this email an intrusion of your privacy or a source of inconvenience to you. If you would like to unsubscribe from the newsletter service, please click here:

Terms https://dev.lexxion.eu/en/terms-conditions/ | Privacy https://dev.lexxion.eu/en/data-protection/