Privacy News 12/02/2021

Feb 15, 2021

 European Union

Council agrees position on ePrivacy Regulation, final text to be agreed with Parliament

The Council of the European Union announced, on 10 February 2021, that its Member States had agreed on a negotiating mandate for the revised rules on the protection of privacy and confidentiality in the use of electronic communications services.

The Council noted that further to this agreement, the Portuguese Presidency of the Council will commence negotiations with the European Parliament on the final text of the Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications which will repeal the Directive on Privacy and Electronic Communications (2002/58/EC).

The Council, also outlined that, under its mandate, the ePrivacy Regulation will cover electronic communications content and related metadata transmitted via publicly available services and networks, as well as ensure secure use of IOT.

In addition, the Council highlighted the rules applicable to cookies, noting in particular that the end-user should have a genuine choice on whether to accept cookies or similar identifiers, as well as be able to give consent to the use of certain cookie types by whitelisting certain providers in their browser settings.

The Council also noted that the processing of electronic communications data without the users’ consent may be permitted in cases where the aim of the processing is to, among other things, ensure the integrity of communications services and check for the presence of malware or viruses.

Furthermore, the Council stated that the final text of the ePrivacy Regulation includes specific rules on online identification and public directories, as well as unsolicited and direct marketing.

You can read the press release here and the agreed text here.


National Authorities

 DPC clarifies difference between discovery and access requests following High Court decision

The DPCpublished, on 10 February 2021, a statement on the difference between discovery and access requests. This statement refers to the High Court’s decision in Dudgeon v Supermacs Ireland Ltd [2020] IEHC 600, whereby it was ruled that a restaurant was not obliged to disclose CCTV recordings of an incident to a person identifiable on the recording, who claimed damages for injuries resulting from that incident.

The statement highlights that the case in question is related to discovery in litigation in Ireland and to the specific circumstances surrounding the case. Furthermore, according to the DPC, the purpose of discovery is to give parties to a case access to documents and materials that are necessary for the fair disposal of the issues being brought before the court, whereas an individual’s right under the GDPR to request access to their personal data does not depend on whether they are engaged in a court case.

You can read the statement here.


 BfDI criticises Council’s position on ePrivacy Regulation

The Federal Commissioner for Data Protection and Freedom of Information issued, on 10 February 2021, a statement on the Council of the European Union’s position on the Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC.

The BfDI highlighted a number of issues with the ePrivacy Regulation, namely regarding the reintroduction of data retention, the use of cookie walls, data subject rights, Data Protection Impact Assessments, and consent requirements.

You can read the press release, only available in German, here.

 Garante announces inspection activity for January to June 2021

The Garante issued, on 10 December 2020, a resolution outlining its inspection activity for the period between January and June 2021. Its investigation activity will be focused on investigations related to the public interest, including the processing of biometric data through facial recognition technology, the processing of data carried out by data brokers, and data breaches.

You can read the resolution, only available in Italian, here.


 The AP receives increased resources

The Dutch Parliament approved a budget increase for the Autoriteit Persoonsgegevens. It will will allow the AP to boost its staffing from 184 employees to 470.

You can read the news, here.


 The Baden-Württemberg Commissioner for Data Protection and Freedom of Information published its 2020 activity report

You can read the report, only available in German here.


 AP fines OLVG hospital €440,000 for insufficient security of medical records

The Dutch data protection authority announced, on 11 February 2021, its decision to fine the OLVG hospital €440,000 for insufficient security of medical records.

The decision notes that the hospital had taken too few measures between 2018 and 2020 to prevent access by unauthorised employees to medical records, thereby violating Article 28 of the GDPR.

In addition, the decision outlines that the AP’s investigation identified two main violations: namely, that the OLVG did not use this two-factor authentication within the hospital and that, although the OLVG was logging access of files by staff, it was not checking often enough for unauthorised access to files.

You can read the press release here and the decision here, both only available in Dutch.