July 2019 EU affairs newsletter
Data Protection. 2
French Data Protection Authority CNIL releases online marketing action plan. 2
Italian DPA fines Facebook for data protection breach in Cambridge Analytica issue. 2
CJUE hearing on “Schrems II” and Standard Contractual Clauses. 2
CJEU: Websites jointly liable for data use via Facebook 'Like' button. 5
New Council paper from Finnish Presidency to be discussed in working group in September 5
About FEBIS– Federation of Business Information Services. 6
French Data Protection Authority CNIL releases online marketing action plan
France’s data protection authority, the CNIL, has released its action plan for online marketing for 2019–20. The CNIL said its focus on online marketing is in response to complaints made by individuals and organizations and as marketing professionals seek to learn about their obligations under the EU General Data Protection Regulation. The agency announced it will publish new guidelines in July and will consult with stakeholders in order to develop new recommendations on the operational aspects of consent
collection, which the CNIL hopes to publish by December or early next year.
Link to CNIL press release : https://www.cnil.fr/en/online-targeted-advertisement-what-action-plan-cnil
Italian DPA fines Facebook for data protection breach in Cambridge Analytica issue
Italy’s data protection authority, Garante, announced it had fined Facebook 1 million euros over Cambridge Analytica, Politico reports. The agency found 57 citizens downloaded the This Is Your Digital Life app tied to Cambridge Analytica; however, the DPA found no information had been passed onto the firm. The fine is the largest Facebook had to face for Cambridge Analytica, as it surpasses the 500,000 GBP penalty issued by the U.K. Information Commissioner’s Office. The fine issued by Garante was not issued under the EU General Data Protection Regulation.
CJUE hearing on “Schrems II” and Standard Contractual Clauses
Ireland’s data protection authority came under fire during a hearing at the Court of Justice of the European Union on July 9th over its refusal to take a decision on whether Facebook could transfer the personal data of Europeans to the United States.
EU institutions, national governments and industry groups joined Austrian privacy activist Max Schrems and even the Irish government in lining up to criticize the Dublin-based regulator, which had deferred the matter to Ireland’s highest court.
“The Data Protection Commissioner has the necessary power to suspend or prohibit data flows,” a representative for the Irish government said, referring to Facebook’s data transfers to the U.S., which were the subject of a complaint brought by Schrems in 2013. “We acknowledge the difficulty of the task, but it should not mean all standard contractual clauses should be deemed invalid.”
Instead of deciding on the case, the Irish Data Protection Commission (DPC) asked its country’s national courts to determine whether so-called standard contractual clauses — complex legal mechanisms that allow thousands of companies to move data from Europe to the U.S., Asia and elsewhere — were valid.
The Irish High Court then referred the case to the Court of Justice of the European Union (CJEU), which now has to assess whether they violate Europeans’ fundamental right to privacy, leading to Tuesday’s hearing. In his original complaint, Schrems sought to get Facebook to stop sending Europeans’ personal data to the United States on the basis that it would be subject to surveillance from intelligence bodies such as the National Security Agency.
The Privacy Shield is a transatlantic data flow agreement allowing companies to transfer European personal data from the EU to the U.S. It replaces the Safe Harbor, which was struck down by the CJEU in late 2015.
Data shutdown fears
Schrems’ complaint focuses squarely on Facebook and the so-called standard contractual clauses it used to transfer personal data to the United States.
But the judges in Luxembourg, whose final decision is expected in early 2020, could make a ruling on the validity of standard contractual clauses in general. Companies worry that a ruling to invalidate the clauses could turn off data transfers from Europe to the U.S. overnight and affect flows to other parts of the world such as Asia and South America.
“The effect [of an invalidation of standard contractual clauses] on trade would be immense and would have World Trade Organization implications for the EU,” Facebook’s lawyer told the court. “There is no evidence that Facebook’s transfers are under any particular risks.”
Both the tech giant and the U.S. government made the argument that ruling on a foreign surveillance regime is not within the court's scope. Europe's sweeping privacy reform — the GDPR — does not give the EU the mandate to "conduct a worldwide enquiry" of surveillance regimes across the world, a representative for the U.S. government said.
Meanwhile, the Irish regulator argued that the European court should invalidate standard contractual clauses because they do not offer sufficient remedies for users whose data has been collected by U.S. intelligence agencies.
Ganging up against the DPC
Schrems had originally complained to Ireland’s DPC, which is in charge of Facebook, given the location of the company’s European headquarters in Dublin.The regulator questioned the validity of standard contractual clauses in general, and the High Court asked the CJEU to rule on the compliance of such mechanisms in general with the Charter of Fundamental Rights.
But the Austrian activist did not want to question the validity of all standard contractual clauses.“We agree with the DPC [on U.S. surveillance], but not on the radical solution. The solution is not for the court to invalidate standard contractual clauses but for the Data Protection Commissioner to enforce them,” his lawyer said.
The European Commission, EU governments and tech lobby BSA-The Software Alliance, which represents companies such as Apple, IBM and Microsoft (but not Facebook), defended the overall validity of the transfer mechanism. “This case is not about U.S. laws but about who's responsible for what. What's the responsibility of the European Commission, the DPC, national courts ...” the Commission said. The Netherlands and the U.K. echoed Ireland’s comments about the DPC’s role in stopping data transfers.
Privacy Shield’s shadow
For the hearing, the court also asked a series of questions about the legality of the separate Privacy Shield transatlantic data flow agreement. Judges insisted the two cases are linked.
A separate hearing on the Privacy Shield agreement at the EU's General Court has been postponed pending a judgment in the case heard on July 9th .
The EDPB also expressed some known concerns about effective remedies for European citizens in the U.S. The board “cannot state that the Ombudsperson constitutes an effective remedy," Jelinek told the court, referring to the person in charge of handling complaints by European citizens.
Unsurprisingly, the Commission defended its decision to strike an agreement with Washington on data flows. But it struggled to answer to the judge’s questions about whether U.S. intelligence agencies have access to content data from EU users.
National governments, including Ireland, urged judges to “confine their examination” to standard contractual clauses.
The conclusions from the court’s advocate general are expected December 12.
French DPA updates guidelines on cookies post GDPR
The French DPA CNIL has tightened its guidelines on cookies to comply with GDPR and EDPB guidelines on consent. Therefore, continuation of browsing will not be deemed as valid consent anymore and that cookies walls are not valid either. These new guidelines replace the version that had been adopted in 2013, and digital and advertising companies have one year to become compliant.
Link to the text published (in French):
CJEU: Websites jointly liable for data use via Facebook 'Like' button
The Court of Justice of the European Union ruled third-party websites are jointly responsible for the processing of personal data under EU privacy rules when users click on a Facebook “Like” button embedded on a third-party site, Bloomberg reports. The court responded to a case in which an online fashion retailer was accused of violating EU law through its use of the Like plugin. The case was launched before the EU General Data Protection Regulation went into effect. The court ruled a website can be held jointly responsible for “the collection and transmission to Facebook of the personal data of visitors to its website.” Facebook Associate General Counsel Jack Gilbert said in a statement the company is reviewing the decision and will work with its partners to ensure continued compliance with the law.
New Council paper from Finnish Presidency to be discussed in working group in September
The Finnish Presidency unveiled on July 26th a new working document for the Council telecommunication working group to discuss early September on
the draft e-privacy regulation.
This working paper concentrates on article 5 to 10 and clearly specifies that articles 12 to 16 won’t be discussed at the next TELE WG in September.
It also takes into account the position unveiled by the German delegation which didn’t agree on the former proposal done by the Romanians on article 6. The Finnish Paper therefore proposes that article 6 has been divided in 4 articles:
· article 6 dealing with processing of all electronic communications data (ex. 6(1)),
· article 6a dealing with processing of electronic communications content (ex. 6(3)),
· article 6b dealing with processing of electronic communications metadata (ex. 6(2)),
· article 6c dealing with further processing of electronic communications metadata (ex.6(2a).
Throughout article 6, the Presidency has deleted references to the processing only 'for the duration necessary for a specific purpose' and only 'if the purpose cannot be fulfilled by processing of information made anonymous'. New art. 6(2) now clarifies that these principles are universally applicable to all types of processing under articles 6 to 6c. The Presidency's reading is that this would anyway be the case by virtue of the principles established by the GDPR. Also the concept of anonymisation in relation to legal entities has been clarified in rec. 15a.
The link to the overall text can be seen here
Below is a snapshot of changes proposed to article 16 on direct marketing communications
Article 16 on direct marketing has been amended as follows by the Finnish paper
Write a comment