Privacy News 14/05/2021

May 18, 2021

European Union

LIBE Committee urges Commission to amend UK adequacy decisions

The LIBE Committee of the European Parliament announced, on 11 May 2021, that it had passed a draft resolution evaluating the European Commission’s approach on the adequacy of the UK’s data protection regime.

The resolution urges the Commission to amend its adequacy decisions to bring them in line with EU court rulings and concerns raised by the EDPB.

Moreover, the resolution finds that, if the implementing decisions are adopted without changes, national data protection authorities should suspend transfers of personal data to the UK when indiscriminate access to personal data is possible.

Specifically, the LIBE Committee found that although the basic data protection framework of the UK is similar to that of the EU, there are concerns over its implementation, highlighting that the UK grants broad exemptions in the fields of national security and immigration.

The LIBE Committee also raised concerns over the onward transfer of data in relation to a number of UK policies. In particular, the LIBE Committee highlighted that the UK’s data-sharing agreements with the US open up the possibility of EU citizens’ data being shared in the US, despite the Schrems II Decision that found US practises of bulk data access and retention incompatible with the GDPR.

Moreover, the LIBE Committee therefore called for the Commission and the UK authorities to address the above issues, advising that if they are not addressed, no adequacy decision should be granted.

Finally, the LIBE Committee outlined that the draft resolution will be debated and put to the vote during next week’s plenary session.

You can read the press release here.

LIBE Committee proposes amendments to Data Governance Act

The LIBE Committee of the European Parliament published, on 11 May 2021, a draft opinion proposing amendments to the European Commission’s proposed Data Governance Act.

In particular, the draft opinion argues that legal clarity and certainty regarding the relationship between the DGA and the GDPR is essential and therefore proposes the addition of an express provision stating, among other things, that:

  • the DGA is without prejudice to the GDPR;
  • the DGA does not create a new legal basis for the processing of personal data;
  • in the case of conflict between the DGA and the GDPR, the latter should prevail;

The draft opinion also suggests re-drafting the provisions applying to data subjects and data holders in order to effectively differentiate between personal and non-personal data, notably with respect to data sharing service providers who, according to the draft opinion, must treat personal data in a distinctly different way to non-personal data.

You can read the draft opinion here.

National Authorities

France : CNIL releases standard on processing traffic violation data

The CNIL released, on 7 May 2021, a standard on the processing of data in relation to designating traffic violations.

The standard sets out guidelines for public and private organisations, including vehicle rental companies and private employers who provide rental vehicles to employees, on the application of the GDPR when identifying and designating drivers who have committed traffic violations, highlighting the following three main use cases:

  • the designation, to the National Agency for Automated Offence Processing, of the person who was driving or was likely to have been driving the vehicle when the offence was observed;
  • the monitoring of the procedure for recovering traffic violations for which public or private organisations may be financially liable; and
  • the production of anonymous statistics, in particular with a view to adapting road prevention training.

For each of the above contexts, the standard explains how to apply the relevant data protection considerations, including what the applicable legal basis for processing would be, how to implement data minimisation…

You can read the press release here and the standard here, both only available in French.


Germany : HmbBfDI prohibits further processing of Whatsapp user data by Facebook

The Hamburg Commissioner for Data Protection and Freedom of Information announced, on 11 May 2021, that it had issued an order prohibiting Facebook Ireland Ltd. from further processing WhatsApp user data for its own purposes, following recent updates to WhatsApp’s privacy policy and terms of use.

For the HmbBfDI, there is no sufficient legal basis for the aforementioned processing by Facebook and that the provisions regarding data transfers are misleading and have been spread across different levels of the document.

In addition, the HmbBfDI noted that consent had not been provided on a voluntary basis because the consequences of providing consent remain unclear. The HmbBfDI also determined that Facebook would not be able to rely on an overriding legitimate interest for processing the personal data of WhatsApp users, as this would conflict with their rights and freedoms, nor would the company be able to process the data on the basis of it being necessary for the performance of a contract.

Finally, the HmbBfDI outlined that, due to the limited timeframe of three months, it will request a referral from the EDPB with a view to obtaining a decision at the European level.

You can read the press release, only available in German, here.


Ireland : High Court orders DPC to implement CJEU Schrems II judgment 

 NOYB announced, on 13 May 2021, that the Irish High Court had issued its decision outlining that the Irish DPC had the right to open a second “own volition” inquiry against Facebook Ireland Ltd.

According to NOYB , the DPC now has two open procedures to implement the CJEU’ landmark judgment ( Schrems II) in which it held that Facebook may not transfer personal data from the EU to the US.

The decision  also outlines that the DPC must investigate the original 2013 complaint made by Mr Schrems and that it shall do so in parallel with the new investigation.  

You can read the judgment here.


Netherlands : AP fines €525,000 for failing to designate a representative in EU

The AP announced, on 12 May 2021, its decision to impose a fine of €525,000 against

 In particular, the AP outlined that had failed to comply with the obligation to designate, in writing, a representative in the EU, in violation of Article 27 of the GDPR. The AP  had received 19 complaints in relation to the company’s failure to comply with data erasure requests and the absence of an establishment or representative of within the EU.

You can read the press release here and the decision here, both only available in Dutch.