European Commission publishes draft UK adequacy decision
The European Commission launched, on 19 February 2021, the process towards the adoption of two adequacy decisions for the transfers of personal data to the UK, one under the GDPR and the other under the Data Protection Directive with Respect to the Law Enforcement Directive. The Commission highlighted that it has assessed the UK’s law and practice on personal data protection, including the rules on access to data by public authorities, and concluded that the UK ensures an essentially equivalent level of protection to the one guaranteed under both the GDPR and the Law Enforcement Directive.
The EDPB must now provide its opinion on the findings, after which the Commission will request approval from Member States’ representatives in the comitology procedure before adopting the final adequacy decisions for the UK.
Data flows between the European Economic Area and the UK will remain safeguarded under the conditional interim regime that was agreed in the EU-UK Trade and Cooperation Agreement until 30 June 2021.
European Commission addresses data flows in trade strategy
The European Commission released, on 18 February 2021, its trade strategy which prioritizes new rules for digital trade. The strategy aims to remove unjustified trade barriers in the digital economy in order to gain the benefits of digital technologies.
It requires the Commission to follow an open but assertive approach, based on European values and interests, with regard to cross-border data transfers and the prohibition of data localisation requirements.
This strategy also seeks to ensure that businesses can benefit from the international free flow of data in full compliance with EU data protection rules and other public policy objectives, such as public security and public order.
You can read the press release here.
Garante publishes FAQs on employee vaccination
The Garante published, on 17 February 2021, FAQs on COVID-19 vaccinations of employees.
The FAQs address, among others, the questions of whether an employer can ask their employees to vaccinate before accessing the workplace and whether employers can ask doctors for the names of the employees that have been vaccinated.
The FAQs outline that employers cannot acquire the names of vaccinated employees or a copy of their vaccination certificates even in cases where the employee has given their consent, as well as noting that only competent doctors can process relevant data related to employees’ vaccination and take them into account when assessing their suitability for work.
LfD Niedersachsen publishes DPIA assessment scheme
The LfD Niedersachsen published, on 11 February 2021, a detailed assessment scheme aimed to help companies understand whether a DPIA should be carried out.
The scheme includes a checklist according to Article 35(4) of the GDPR, outlining examples of processing activities which are subject to a DPIA, and a comprehensive glossary of the most important terms, such as biometric data, new technologies, and profiling.
Sweden: IMY fines Swedish Police Authority SEK 2.5M for unlawfully using Clearview AI app
The IMY issued, on 11 February 2021, a decision fining the Swedish Police Authority SEK 2,500,000 (approx. €250,000) for processing personal data in breach of the Criminal Data Act, when using Clearview AI to identify individuals.
The decision notes that the IMY had initiated the investigation, following news in the media of the Swedish Police Authority using the application Clearview AI for facial recognition.
Clearview AI had been used by the Police on a number of occasions and that according to the Police, a few employees have used the application without prior authorisation.
Furthermore, the decision notes that the Police has not fulfilled its obligations as a data controller on a number of accounts with regards to the use of Clearview AI, such as:
- failing to implement sufficient organisational measures to ensure and demonstrate that the processing of personal data has been carried out in compliance with the Act;
- unlawfully processing biometric data; and
- failing to conduct a data protection impact assessment which the processing of biometric data would require.
Lastly, the decision notes that the Police has been ordered to inform the affected data subjects and to erase any personal data transferred to Clearview AI.
AGCM fines Facebook €7M for non-compliance with order concerning consumer rights violations
The AGCM announced, on 17 February 2021, that it had fined Facebook Ireland Ltd. and Facebook Inc. €7 million for not complying with an order issued in November 2018 regarding the unlawful processing of consumer data.
The AGCM found that Facebook had been misleading consumers to register on the platform without informing them in a timely and adequate manner about the data that would be collected from them for commercial purposes.
Further to the same, the AGCM highlighted that the information provided by Facebook had been inadequate and failed to distinguish between the data necessary for offering personalised services and the use of data for targeted advertisement.
Moreover, the AGCM noted that its investigation had indicated that the two companies had not ceased their misleading practices in spite of its order to Facebook to cease said misleading practices.
Therefore, the AGCM fined Facebook €5 million for not complying with the November 2018 order and an additional €2 million for not publishing an amended declaration on the homepage and the app to ensure that its consumers are not misled.