European Union

LIBE Committee calls on Commission to begin infringement proceedings against DPC for GDPR enforcement failures

The Irish Council for Civil Liberties announced, on 4 February 2021, that the EU LIBE Committee has prepared a draft motion for resolution, calling the European Commission to begin infringement proceedings against the Irish Data Protection Commission for failing to enforce the GDPR.

The ICCL highlights the European Parliament’s concerns within the draft motion, i.e. that the Schrems II Case, was started by the DPC, instead of taking a decision within its powers pursuant to Article 58 of the GDPR, and that several complaints against data breaches of the GDPR filed on 25th May 2018, have not yet been decided by DPC which is the lead authority for these cases.

The ICCL notes that the Parliament strongly condemns the attempt of the DPC to shift the costs of the judicial procedure to Maximilian Schrems.

For the ICCL, there is growing concern that the DPC, as the lead supervisory authority, is failing to adequately regulate the big tech companies headquartered in Dublin.

You can read the ICCL’s press release here, the LIBE Committee’s draft motion here, and the ICCL’s letter here.

EDPS publishes orientations on manual contact tracing by EU Institutions in context of COVID-19

The EDPS published, on 2 February 2021, guidelines on the orientations on manual contact tracing by EU institutions in the context of the COVID-19 crisis.

The guidelines note that some European institutions, agencies and bodies have implemented a manual contact tracing system in order to trace persons who have been in close contact with a person infected by COVID-19 and that the EDPS considers that manual contact tracing is compatible with the requirements of Regulation (EU) 2018/1725, as long as the institutions put in place comprehensive data protection measures.

The guidelines also state that, in view of the high sensitivity of the data at stake and the high risk for the privacy of individuals, institutions need to conduct a DPIA when developing and implementing a manual contact tracing operation.

You can read the guidelines here.

National Authorities

 CNIL urges organisations to bring websites and apps in compliance with new cookie rules

The CNIL issued, on 4 February 2021, guidance urging public and private organisations to bring their websites and apps in compliance with its final recommendations and amended guidelines on cookies and other trackers before the 31 March 2021. The CNIL draw attention to cookie banners showing detail on the purposes behind using cookies and the need for users’ refusal to the use of cookies to be as easy as accepting cookies.

For the CNIL, button allowing users to ‘configure’ next to an ‘accept all’ button dissuades users from refusing cookies and thus does not comply with the GDPR

The CNIL also highlighted that it had been assessing the cookie practices of 1,000 websites with the most visitors in France and had decided to send letters to the websites that place cookies without having collected prior consent.

Lastly, CNIL reiterated that audience measurement cookies that are solely used for the production of anonymised statistics and are strictly necessary for the proper functioning of the service provided do not require prior consent.

You can read the guidance, only available in French, here.

Fines

 DPA issues €50,000 fine to Family Service for transparency and consent violations of the GDPR

The Belgian Data Protection Authority announced, on 28 January 2021, that it had issued, on 20 January 2021, a €50,000 fine to Family Service, a marketing company distributing ‘pink boxes’ containing sponsored gifts, for violations of the GDPR,

The Litigation Chamber of the Belgian DPA outlined that Family Service had transferred personal data belonging to more than one million clients, including children, to third parties, without obtaining valid consent or providing sufficient information to the data subjects.

In the calculation of the fine, the Belgian DPA noted that it considered the number of data subjects involved (21% of the Belgian population), the severity of the violation, and the fact that the affected personal data included that of children.

You can read the press release, available in French and Dutch, here and the decision, only available in Dutch, here.

 The Baden-Württemberg data protection initiates fine proceedings against VfB Stuttgart for data protection violations

The Baden-Württemberg data protection authority announced, on 3 February 2021, that it had opened fine proceedings against VfB Stuttgart 1893 AG following an investigation into the club which found that it had breached its data protection obligations.

Further investigations will now be carried out by the State Commissioner who has corrective powers under Article 58(2) of the GDPR.

You can read the press release, only available in German, here.