European Union
CJEU adresses application of “one stop shop” mecanism
The CJEU released, on 15 June 2021, its judgment in Facebook Ireland Ltd, Facebook Inc., Facebook Belgium BVBA v. Gegevensbeschermingsautoriteit, in which it responded to the Belgian Court of Appeal’s request for a preliminary ruling in relation to the effect of the application of the ‘one-stop shop’ mechanism provided for by the GDPR.
In particular, the CJEU outlined that, under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a Member State, even though that authority is not the lead supervisory authority with regard to the processing.
Moreover, the CJEU addressed the conditions governing whether a national supervisory authority, which does not have the status of a lead supervisory authority in relation to an instance of cross-border processing, must exercise its power to bring any alleged infringement of the GDPR before a court of a Member State and, where necessary, to initiate or engage in legal proceedings to ensure the application of the GDPR.
You can read the judgment here.
National Authorities
UK : Taskforce report calls for new data protection framework to replace UK GDPR
The Taskforce on Innovation, Growth and Regulatory Reform published, on 16 June 2021, a report containing recommendations to the Prime Minister, Boris Johnson, on how the UK can reshape its approach to regulation and seize new opportunities from Brexit.
The Taskforce was formed upon request by Johnson, in order to identify and develop proposals across a range of areas driving innovation, growth, and competitiveness through regulatory reform. Notably, the report calls for a new data protection framework, a UK Framework of Citizen Data Rights, to replace the UK GDPR, describing it as unnecessarily restricting the use of data for worthwhile purposes.
You can read the press release here and the report here.
Ireland:DPC publishes guidelines on DPO registration
The DPC announced on 12 June 2021, that it had released guidance on the DPO Register.
The guidelines noted that all organisations that have appointed a DPO pursuant to Article 37(1) GDPR are required to notify the contact details of their DPO to the DPC, which maintains these details in the DPO Register.
You can read the guidance here.
Belgium : DPA publishes annual report for 2020
The Belgian DPA published, on 11 June 2021, its annual report for 2020.
The report outlines, among other things, that the amount of complaints that it had received had increased by 290.64%, to 668, and data breach notifications by 25.09%, to 1097, all while remaining focussed on the priorities identified in its Strategic Plan 2020-2025 such as direct marketing, protection of personal data online, and simplifying applicable data protection requirements as part of raising awareness.
Furthermore, the report indicates that the Belgian DPA received 146 requests for opinions, opened 89 mediation cases, processed 4,123 requests for information, and launched 149 investigations.
You can read the press release here, the report in French here and in Dutch here.
Spain : AEPD launches new data breach notification system
The AEPD announced, on 15 June 2021, that it had launched a new system for personal data breach notification which simplifies the process by guiding those responsible through specific questions so that they know which points they need to address.
According to the AEPD, the new system facilitates the gradual notification of personal data breaches, establishing two types of notifications : new notification or modification of a previous notification.
This new system sits alongside the free ‘Communicate-Breach GDPR’ tool which aims to assist organisations in assessing whether they need to communicate the data breach to affected individuals.
You can read the press release here and access the notification system here and the Communicate-Breach GDPR tool here, all only available in Spanish.
Fines
France : CNIL fines Brico Privé €500,OOO for marketing and cookie violations
The CNIL announced, on 17 June 2021, that it had issued a decision to fine Brico Privé €500,000 for violations of several obligations provided for by the Postal and Electronic Communications Code, the GDPR and the Data Protection Act.
The CNIL outlined that Brico Privé had failed to respect the data retention periods that it had set, in violation of Article 5(1)(e) of the GDPR, with respect to the data of 146,000 customers, whilst also noting that it had failed to respect transparency obligations, the right to erasure, and data security obligations, in violation of Articles 13,17 and 32 of the GDPR.
The CNIL also highlighted that Brico Privé had sent prospecting emails to individuals who had created an account on their website but had not made a purchase, without the prior consent of such individuals, in violation of Article L34-5 of the Code, as well as placing advertising cookies without consent, in violation of Article 82 of the Data Protection Act.
You can read the press release here and the decision here, both only available in French.
