Privacy News 06/11/2020

Nov 9, 2020

 European Union

Presidency releases revised draft Eprivacy Regulation

The German Presidency of the Council  of European Union published on November 4, 2020 a new version of the proposal for a “Regulation of the European Parliament and of the Council concerning privacy and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on privacy and electronic communications)” which is expected to be shared with Council members on November 11.

In its analysis, Euractiv notes that this proposal removes the provision relating to the legitimate interest in the general processing of metadata, included in previous versions of the text.

On the other hand, the processing of such metadata would still be allowed to protect a vital interest, for example for humanitarian purposes, including monitoring epidemics and their spread, or in humanitarian emergencies, natural and man-made disasters.

While the German position is seen by some as a brake on the Commission’s planned innovation as part of its data strategy – aimed at making the most of the “untapped potential” of vast industrial data holdings – the Commission is expected to unveil a draft text on data governance on November 11 that will set out new rules to facilitate greater sharing of non-personal data.

The text includes many other adjustments, such as the deletion of provisions on the processing of data relating to electronic communications with a view to preventing child sexual abuse, postponed to possible decisions of the Union or Member States restricting by law certain rights and obligations.


The European Data Protection Supervisor  warned European institutions to refrain from engaging in new activities involving the transfer of personal data to the United States

It also asks them to carry out “a mapping exercise identifying current contracts, procurement procedures and other types of cooperation that involve data transfers”.

This warning follows a EURACTIV report released on Wednesday, 28th of October, which reveals that the European Parliament’s coronavirus test management website is overwhelmed with tracking requests from users, some of whom are siphoning data to US-based companies.


National authorities

 AEPD approves advertising code of conduct

The Spanish data protection authority (‘AEPD’) approved, on 3 November 2020, the Code of Conduct for Data Processing in Advertising Activity presented by the Association for the Self-regulation of Commercial Communication (‘AUTOCONTROL’), making it the first code of conduct to be approved by the AEPD under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). In particular, the AEPD noted that the code of conduct aims to establish an out-of-court system to process claims on data protection and advertising, which is effective and free for consumers.

You can read the press release here and the code of conduct here, both only available in Spanish.


 For the Vlaamse Toezichtcommissie, the use of Amazon Web Services is, in some cases, not compliant with the GDPR

A report of the Flemish Supervisory Commission (“Vlaamse Toezichtcommissie”) warns the authorities that the use of AWS is, in some cases, not in accordance with the principles and provisions of the GDPR.

You can read the report here and an analysis  here, both only available in Dutch.



 AEPD fines La Casa Comprometida 3,000 euros for unlawful cookie practices

On November 3, 2020, the Spanish Data Protection Authority issued a decision in the procedure PS/00116/20200, ordering La Casa Comprometida S. Coop to pay a fine of € 3,000 for unlawful cookie practices.

La Casa Comprometida had published a cookie policy on its website, in which the first layer containing the cookie banner had provided information that was not concise or intelligible.

The second layer containing the terms and conditions had not provided the necessary information on the options to configure the acceptance of cookies in a granular way and/or the option of accepting/rejecting all cookies.

You can read the decision here, only available in Spanish.


 Dublin Circuit Court confirms DPC’s decision to fine Tusla € 75,000 for GDPR failures

The Data Protection Commission announced on November 4, 2020, that the Dublin Circuit Court had upheld its decision to impose a fine of € 75,000 on Tusla Child and Family Agency.

Tusla was found to be in breach of Article 32(1) of the GDPR by failing to implement appropriate organisational measures to ensure a level of security appropriate to the risk presented by its processing of personal data in respect of its sharing of documents with third parties, as well as Article 33(1) of the GDPR by failing to notify the DPC of the third breach without undue delay.

You can read the press release here.