European Union

EDPB updates statement and information note on Brexit

The EDPB released, on 13 January 2021, an updated version of its Statement on the End of the Brexit Transition Period and its Information Note on Data Transfers under the GDPR to the United Kingdom after the Transition Period.

The EU-UK Trade and Cooperation Agreement, which provisionally came into force on 1 January 2021 until 28 February 2021, pending ratification by the European Parliament and the Council of the European Union, provides, for a maximum period of six months from its entry into force and upon the condition that the UK’s current data protection regime stays in place,that all data flows of personal data between stakeholders subject to the GDPR and UK organisations will not be considered as transfers to a third country.

Organisations subject to the GDPR will be able to carry on transmitting data to UK organisations without the need to either put in place a transfer tool or rely on a derogation.

If no adequacy decision applicable to the UK is adopted by 30 June 2021, all transfers of personal data between stakeholders subject to the GDPR and UK entities will then constitute a transfer of personal data to a third country and therefore will be subject to the provisions of Chapter V of the GDPR.

You can read the updated statement here and the updated information note here.

CJEU’s AG opinion addresses data protection authorities’ competence over cross-border data processing

The CJEU published, on 13 January 2021, the Advocate General Michal Bobek’s opinion in Facebook Ireland Limited, Facebook Inc., Facebook Belgium BVBA v Gegevensbeschermingsautoriteit (Case C-645/19).

The opinion provides that the data protection authority in the Member State where a data controller or processor has its main EU establishment has a general competence to start court proceedings for GDPR infringements in relation to cross-border data processing. However, the other national data protection authorities concerned are nevertheless entitled to commence such proceedings in their respective Member State in situations where the GDPR specifically allows them to do so.

According to the Advocate General, national data protection authorities, even when they do not act as lead authority, can bring proceedings before the courts of their respective Member State in case of cross-border processing in various situations, such as when they:

• act outside the material scope of the GDPR;
• investigate into cross-border data processing carried out by public authorities, in the public interest, in the exercise of official authority, or by controllers not established in the EU;
• adopt urgent measures; or
• intervene following the lead data protection authority having decided not to handle a case.

You can read the press release here and the opinion here.

 

National authorities

 AEPD publishes paper on conducting audits for data processing that uses AI components

The AEPD published, on 12 January 2021, a paper aimed at managers who have to audit artificial intelligence-related processing, as well as managers and developers who want to offer guarantees on their products and solutions.

The paper highlights that the audit of the processing of personal data is one of the tools for the evaluation of regulatory compliance, as required under the GDPR, and provides guidelines, methodologies, control objectives, and a list of controls that could be included in the data protection audit process of a processing incorporating AI components or solutions.

You can read the press release here and the paper here, both only available in Spanish.

 

 Garante issues statement on Whatsapp changes to privacy policy and terms of service

The Garante issued, on 14 January 2021, a statement on the message by which Whatsapp Inc. informed its users of the updates to its terms of service that will be applicable from 8 February 2021.

For the Garante, this message, together with the privacy policy outlining the processing activities carried out on users’ personal data, with reference to the data sharing practices that Whatsapp will carry out with other entities of its group, is not sufficiently clear and understandable, and therefore must be assessed in light of the applicable privacy legislation.

More specifically, the Garante pointed out that the updated terms of service and privacy policy do not allow users to understand clearly what the changes are and what data processing activities will be carried out from 8 February 2021, while also noting that the privacy policy does not offer users with the possibility of expressing their will freely and in an informed way.

Therefore, the Garante outlined that it had raised the issue with the EDPB, and that it reserves the right to intervene, as an urgency matter, to protect Italian users’ data protection.

You can read the statement, only available in Italian, here.

 

 DPC to move against Facebook personal data transfers

The DPC has agreed with Max Schrems’ demand to swiftly end a 7.5 year battle over EU-US data transfers by Facebook and to come to a decision on Facebook’s EU-US data flows.

You can read, the NOYB’s press release, here.

 UK Mass hacking ruled illegal

After five years of legal wrangling, the UK High Court has ruled that the security and intelligence services cannot search the computers and phones of millions of people under a single ‘general warrant’.

Quashing a decision by the Investigatory Powers Tribunal (IPT), the court ruled that section 5 of the Intelligence Services Act (ISA) 1994 does not permit the issuing of general warrants to property interference with property and certain forms of computer hacking.

You can read the Privacy International’s press release, here.

Fines

 CNIL sanctions Ministry of Interior for unlawful use of drones

The CNIL announced, on 14 January 2021, that it has issued a deliberation sanctioning the Ministry of Interior for unlawfully using drones with cameras in monitoring compliance with quarantine measures.

CNIL found that the Ministry had used such drones in the absence of legal text authorising the same as well as had failed to communicate to CNIL that its Data Protection Impact Assessment had shown that there was a high risk to the rights and freedoms of individuals.

For the CNIL, the blurring mechanism applied to pictures taken by drones was only applied after the collection of images containing personal data and did not ensure that people could not be identified through the images.

Therefore, bearing in mind that it cannot fine a public body, CNIL issued a sanction against the Ministry, as well as ordered to cease of use of drones.

You can read the announcement here and the deliberation here, both only available in French.

 

 AEPD fines CaixaBank €6M for consent and insufficiency of information failures

The AEPD issued, on 13 January 2021, a resolution in proceeding PS/00477/2019, fining CaixaBank S.A. €6 million for violating Articles 6, 13, and 14 of the GDPR.

In relation to the violation of Articles 13 and 14 of the GDPR, the resolution highlights, that the information provided by CaixaBank in different documents was not uniform, imprecise terminology was used within the privacy policy, and information about the category of personal data processed, profiles made of users  and the exercise of rights and data retention periods, was insufficient.

In relation to the violation of Article 6 of the GDPR, the AEPD highlights that CaixaBank did not provide sufficient justification of the legal basis for the processing of personal data, especially in relation to the data processed on the basis of legitimate interest, and did not comply with the requirements for obtaining valid consent, namely, to be specific, unequivocal, and informed.

The resolution further outlines that deficiencies were identified in the processes enabled to obtain the consent of the clients for the processing of their personal data, and states that the transfer of personal data to companies within the CaixaBank Group was unlawful.

As a result, the AEPD imposed a fine of €2 million for the violation of Articles 13 and 14 of the GDPR, and a fine of €4 million for a violation of Article 6 of the GDPR, ordering CaixaBank to comply with the data protection regulations within six months.

You can read the resolution, only available in Spanish, here.

 

 AEPD fines Tres F Network SAU €4,000 for direct marketing violation

The AEPD issued, on 13 January 2020, a resolution in proceedings PS/00429/2020, fining Tres F Network SAU €4,000 for a violation of Article 21 of the Law No. 34/2002, of 11 July 2002, LSSI.

The resolution highlights that Tres F Network SAU violated Article 21 of the LSSI by sending direct marketing without the consent of the data subject.

You can read the resolution, only available in Spanish, here.