Posted in Dispute resolution and litigation
On March 21, 2019, Advocate General Szpunar released his opinion on the use of consent for the processing of personal data and for the use of cookies pursuant to the ePrivacy-Directive and the General Data Protection Regulation (GDPR).
The opinion includes several key points on whether consent is ‘freely given’ pursuant to the ePrivacy-Directive and the GDPR and also gives insight on what constitutes ‘informed consent.’ Continue reading
Posted in Enforcement
A mid-level German employment court recently had to consider the scope of subject access requests under the EU General Data Protection Regulation (GDPR) in the context of compliance and whistle-blowing regimes. The Regional Labour Court (Landesarbeitsgericht) of Stuttgart decided that an employer was required not only to provide an employee with the records containing performance and behavioural data, but also to disclose information regarding internal investigations. This is the first reported successful enforcement of a data subject access right under Article 15 GDPR before a regional labour court in Germany. (The judgment was handed down on 20 December 2018 but has just been published in full text.) Continue reading
Posted in Compliance and risk management, Enforcement
This is the Data Protection Report’s eighth blog post in series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA.
With significant enforcement activity and new laws being enacted or proposed since the start of the year, regulators in the EU and the US, several US states, and the US Congress are showing they mean business in terms of data privacy.
To help companies best protect consumer data and remediate enforcement risks, we provide below an overview of the following:
On January 23, 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”). See our previous blog posts on the GDPR here and here. The opinion also addresses GDPR requirements regarding (1) the legal basis for processing personal data in the course of a clinical trial protocol (primary use) and (2) the further use of clinical trial data for other scientific purposes (secondary use).
Even though the CTR already entered into force on June 16, 2014, the regulation’s application depends on the development of a fully functional EU clinical trials portal and database which is projected to be operational in 2020. In anticipation of the CTR’s applicability, the EDPB’s Opinion 3/2019 provides much needed clarification on the interplay between the GDPR and the CTR[1] and allows companies to update their processes and agreements to conduct clinical trials that comply with both regulations. Continue reading
On January 3, 2019, the federal trial court in Manhattan issued a preliminary injunction, temporarily halting a new local law aimed at required disclosures by home-sharing platforms, such as Airbnb and HomeAway, to the city. The court granted the preliminary injunction on the basis that the city’s broad requirement that the services turn over detailed customer information on a monthly basis likely violated the Fourth Amendment to the U.S. Constitution—infringing the privacy rights of the companies, rather than the users. In contrast, the court ruled that the companies’ Stored Communications Act claim did not meet the standard for a preliminary injunction. (Airbnb, Inc. v. City of New York, Case 1:18-cv-07712-PAE (S.D.N.Y. Jan. 3, 2019)). Continue reading
Posted in General
On 7 February 2019, the German antitrust authority (Bundeskartellamt, the FCO) ruled against Facebook combining user personal data from different sources, saying it was exploiting its position as a dominant social media company in violation of the EU data protection laws.
The FCO said that Facebook abused its market dominance in:
Facebook can no longer combine the personal data gathered from its own website, Facebook-owned services (like WhatsApp and Instagram) with personal data gathered from third-party websites through the “Like” or “Share” features of a user’s Facebook account.
Combining of personal data collected from different sources, according to the FCO, requires a user’s voluntary consent, if one takes account of Facebook’s dominant position in the market for private social networks. The FCO emphasised that Facebook is therefore not permitted to force its users to consent to the collection of their data from different sources under the Facebook terms of use.
According to Andreas Mundt, President of the FCO, Facebook, as a consequence of its dominant position, must not abuse its dominance. This means that Facebook, as a dominant company, is subject to “special obligations under competition law”, and therefore Facebook “must take into account that Facebook users practically cannot switch to other social networks.”
Voluntary consent requires that the user has a choice to deny Facebook access to certain data without losing access to Facebook’s services. The only real choice the user had is either to accept the comprehensive combining of its data, or to refrain from using the social network altogether. This constitutes “bundling” ( on a “take it or leave it” basis), which, according to the FCO, constituted an abuse of Facebook’s dominant position in the market for private social networks.
Therefore, the FCO concluded, the use of Facebook’s services must not be subject to a user’s “mandatory consent to their data being collected and combined in this way.” It emphasised that:
“ … personal data is nowadays an essential competitive factor. Especially for Facebook, personal data is the essential factor for establishing its dominant position. The attractiveness and value of the advertising spaces increase with the amount and detail of user personal data. As a market-dominating company, Facebook must, therefore, comply with the laws applicable in Germany and Europe, especially in relation to the collection and processing of personal data.”
The decision, of course, does not concern Facebook’s processing of personal data generated from its own website, which the FCO acknowledged is a legitimate core business model for data-based social networks like Facebook.
Facebook is reported to have said that it rejects the decision and that it intends to appeal within the one-month frame before the decision becomes final. If the decision is upheld, Facebook will be required to allow users to give their specific consent to the combination of data collected from other Facebook-owned sources and from third-party websites.
This is not a decision of a data protection supervisory authority, but it is widely influenced by the GDPR which also discourages bundling of consents and requires freely given consent. The German antitrust authority used typical antitrust arguments from bundling decisions. The decision has some similarity to the arguments made by CNIL in the French decision against Google (see Data Protection Report, First multi-million Euro GDPR fine: Google LLC fined €50 million under GDPR for transparency and consent infringements in relation to use of personal data for personalized ads).
From now on, online businesses which undertake large-scale data collection and processing should consider whether activities relating to the collection, combination and use of personal data from different sources could also constitute market dominance under anti-trust laws.
Posted in Compliance and risk management
This is the Data Protection Report’s seventh blog post in series of CCPA blog posts that will break down the major elements of the CCPA. Stay tuned for additional posts on the CCPA.
On January 25, 2019, the California Attorney General’s Office held a public forum in Los Angeles to solicit feedback on the California Consumer Privacy Act of 2018 (“CCPA”) as it prepares to draft regulations which must be adopted on or before July 1, 2020. CCPA provides new rights to California consumers with respect to the collection and use of their personal information. The CCPA authorizes the Attorney General to promulgate regulations that will establish procedures to facilitate consumers’ rights. The Attorney General’s Office does not answer questions at these forums; rather, the forums are designed to solicit feedback on the rulemaking categories enumerated in the text of the law, including, but not limited to, the definition of personal information and rules and procedures for how businesses must comply with a consumer’s request to opt out of the sale of personal information. Continue reading
On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC. It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net.
We focus here on four key aspects of the decision: (a) why the Irish Data Protection Commission (Irish DPC) did not take the case; (b) the consent mechanism failings; (c) the privacy policy failings; and (d) the amount of the fine. Continue reading
Posted in Regulatory response
On January 23rd 2019, the European Commission adopted its adequacy decision in relation to the export of personal data from the European Union (EU) to Japan. Concurrently, Japan has adopted an equivalent decision in relation to the export of personal data from Japan to the EU. Such mutual decision is the result of two-years of dialogue and negotiations between both parties.
According to a joint statement issued by Věra Jourová (Commissioner for Justice, Consumers and Gender Equality) and Haruhi Kumazawa (Commissioner of the Personal Information Protection Commission of Japan), “these mutual adequacy findings create the world’s largest area of safe data transfers. They build on the high degree of convergence between the two systems, which rest notably on an overarching privacy law, a core set of individual rights and enforcement by an independent data protection authority.”
As detailed in the European Commission’s press release, prior to the European Commission’s adoption of the adequacy decision, Japan put in place a number of additional safeguards to ensure that personal data originating from the EU is adequately safeguarded under Japanese privacy laws. Such safeguards include:
The EU’s adequacy decision compliments the EU-Japan Economic Partnership Agreement (coming into force in February 2019) which will inevitably increase the flow of data, including personal data, between both territories (see press release here).
The EU’s adequacy decision is an important step in streamlining the flow of personal data between the EU and Japan. Whilst EU-based organisations will still need to put in place appropriate data processing and data sharing provisions with Japanese counterparties, they will no longer be required to enter into additional export arrangements such as the EU Model Clauses, thereby eliminating the time, workload and formalities associated with such mechanisms.
The adequacy decision reflects the European Commission’s commitment to engage with key trading partners in Asia. In line with this, it has also been in dialogue with South Korea since 2015 with the aim of working towards an adequacy finding, although these discussions remain ongoing at this stage.
Posted in Compliance and risk management
On 25 November 2018 the UK Government and the EU agreed a draft withdrawal agreement which set out the terms of the UK’s departure from the EU and made a political declaration on the framework for their future relationship, as provided for under Article 50(2) of the Treaty on European Union (Withdrawal Agreement). The purpose of the Withdrawal Agreement is to set out the terms of the UK’s departure from the EU and provide a transition period during which a more nuanced and ambitious future relationship can be agreed.
Had the UK Parliament approved the Withdrawal Agreement, it would have become a legally binding international treaty. However, following yesterday’s Parliamentary vote, approval of the Withdrawal Agreement has not been given by the UK Parliament and the UK therefore faces continued uncertainty with regard to its future relations with the EU. The imminent withdrawal date of 29 March 2019 (Withdrawal Date), presents two principal scenarios in the context of data protection:
Whilst the UK Government may continue to seek further concessions from the EU over the period to the Withdrawal Date in order to obtain Parliamentary approval (and we set out in the second section of this post, below, what should happen if the current Withdrawal Agreement (or one with similar data protection provisions) is ratified). However, if no alternative proposals can be agreed (including any alternative models, such as the so called “Norway” or “Canada plus” options), the UK will cease to be a member of the EU on the Withdrawal Date and, from that date, the UK’s European Union (Withdrawal) Act 2018 (Withdrawal Act) will apply to transpose directly applicable EU laws into UK law.
This means that the obligations and provisions of the GDPR as they exist at the Withdrawal Date would continue to apply in the UK (alongside the UK’s Data Protection Act 2018). The UK would become a “third country” for the purposes of EU data protection regulation.
The impact on the data protection landscape would be as follows:
Following the voting down of the Withdrawal Agreement, the Prime Minister will need to come back to Parliament within three days with a statement on what she proposes to do next. No doubt this will include her continuing to seek further concessions from the EU over the coming weeks and / or softening the UK’s own “red lines” in order to reach an agreement with the EU that the UK Parliament could ratify.
If the Withdrawal Agreement (with or without any revisions) is subsequently ratified by the UK Parliament, the UK will cease to be a member of the EU on the Withdrawal Date but a transition period expected to last until the end of December 2020 (the Transition Period) would commence. During the Transition Period, the parties would attempt to agree the terms of the future relationship between the UK and the EU.
The Withdrawal Agreement provides that, during this Transition Period, EU law continues to apply to the UK, and references to “Member State” in EU law shall be construed as including the UK. This means that transfers from the EEA to the UK could continue for the time being without any further measures being put in place, and gives the UK some time to try and obtain an “adequacy” decision from the European Commission (so that EEA to UK transfers can continue unaffected after the Transition Period too).[1] It also appears to mean that transfers from the UK to non-EEA jurisdictions would remain unaffected, and the expectation from the UK data protection authority and the US Department of Commerce’s International Trade Administration seems to be that the Model Clauses and the Privacy Shield could apply un-amended until the end of the Transition Period.
As to the UK’s participation in the European Data Protection Board, the Withdrawal Agreement provides that the UK would cease to participate in the EU’s decision-making bodies. Therefore, unless a special provision were to be made for the UK’s data protection authority (the ICO), it appears that the ICO would not participate in the European Data Protection Board from the Withdrawal Date. The Withdrawal Agreement also provides that the UK will no longer participate in the “one stop shop” and consistency mechanisms. Instead, as with a no-deal Brexit, organisations would have to prepare to liaise with both a European and UK data protection authority, and revisit assessments they have made about their main establishment and lead authority.
Some UK businesses have worked through the consequences of both a no-deal Brexit and the main establishment / one stop shop impact of the Withdrawal Agreement being ratified before the Withdrawal Date. Many have not, having regard to the difficulty in calling the likelihood of no-deal, Withdrawal Agreement or remain outcomes.
Businesses which are starting contingency planning now should focus, first, on the consequences of the loss of the “one stop shop”, as this will apply in both the no-deal and Withdrawal Agreement scenarios. They should then move on to focus on identifying affected data transfers and suitable export mechanisms, particularly if they think their EU customers will refuse to transfer personal data to them without such a mechanism.
Those businesses either in the UK and outside the EU, or outside both the UK and the EU, should review if they need a new UK or EU representative.
Finally, we would not expect non-compliance enforcement by data protection authorities to be particularly quick following a no-deal Brexit; we would expect most of the pressure to come from EEA counterparties.
[1] The political declaration in the Withdrawal Agreement provides that, during the Transition Period the EU will work towards granting the UK an adequacy decision and to find ways for the UK and EU data protection authorities to cooperate. So ideally the UK will be given an adequacy finding, and some form of cooperation (not likely to be anyway near as extensive as the “one stop shop”) will be implemented before the Transition Period expires. If not, at the end of the Transition Period the position will be much the same as at no-deal Brexit.
