Developments have continued at a rapid pace since the General Data Protection Regulation ("GDPR") entered into force on 25 May 2018. Here we outline the most important developments in the last quarter.
Court of Justice confirms broad interpretation of the journalistic exception
The right to the protection of personal data is not an absolute right, and in some cases it must be balanced against the right to freedom of expression and information. That is why the GDPR provides for exceptions to the obligations for the processing of personal data for journalistic purposes. In a judgment dated 14 February 2019 (C-345/17), the Court of Justice ruled that the posting of a video on YouTube by non-professional journalists constitutes the processing of personal data for journalistic purposes provided that the purpose of the recording and publication is solely to make information, opinions or ideas known to the public.
In the light of that judgment, it seems that the Belgian legislator will have to review the scope of article 24 of the Belgian framework act (in French), which limits the journalistic exception from the obligations under GDPR to "the controller responsible for compliance with journalistic deontological rules".
EDPB publishes information notes on compliance in case of a no-deal Brexit
In less than one month, the United Kingdom ("UK") is expected to leave the European Union ("EU"), possibly without any withdrawal arrangements. On 12 February 2019, the European Data Protection Board ("EDPB") published two information notes explaining to companies and organisations how to properly comply with the GDPR in the event of a "no-deal Brexit".
In the event of a no-deal Brexit, transfers of personal data to the UK must be additionally protected as from 30 March 2019 (or a later date in case of postponement of brexit) by means of one of the instruments provided for in Chapter V of GDPR. We refer to Eubelius Spotlights March 2019 on the protection of personal data after a (no-deal) Brexit and Eubelius Spotlights March 2019 for an overview of the potential consequences of Brexit for financial service providers.
More information can be found in the information notes of the EDPB:
- Information note on data transfers under the GDPR in the event of a no-deal Brexit
- Information note on binding corporate rules for companies which have ICO as lead supervisory authority
EDPB issues a new opinion on the interplay between the Clinical Trials Regulation and the GDPR
On 23 January 2019, the EDPB issued an opinion on the interplay between the Regulation on clinical trials on medicinal products for human use and the GDPR. The opinion addresses the GDPR requirements regarding the legal basis for the processing of personal data in the context of a clinical trial protocol (primary use) and the further use of clinical trial data for other scientific purposes (secondary use).
You can find the advice here.
EU adequacy decision on Japan
EU and Japanese companies can now exchange information without having to use additional instruments such as standard contractual clauses (Article 46 GDPR). On 23 January 2019, the European Commission adopted an adequacy decision establishing an equivalent level of data protection in the EU and Japan. This adequacy decision, applicable since 23 January 2019, is the first since the entry into force of the GDPR.
Developments regarding the right to be forgotten
Advocate General ("AG") Szpunar delivered two important opinions on the right to be forgotten (Article 17 GDPR) to the Court of Justice on 19 January 2019.
In the first opinion (in French), the AG held that the prohibition on processing sensitive personal data applies to Google, even though Google itself has not placed the sensitive data on the web pages to which its links point. According to the AG, Google is also obliged to systematically comply with requests to remove links to websites containing sensitive data. Google must, however, carefully balance the right to privacy and the right to the protection of personal data with the right of the public to have access to the information in question and the right to freedom of expression of the person who provided the information.
In the second opinion (in French), the AG stated that searches made outside the territory of the EU are not subject to the removal of links from the search results. According to the AG, Google is obliged to remove search results displayed after a search query from an IP address of an internet user located in the EU, regardless of the domain name entered by that internet user. In this context, Google must take all possible measures to ensure effective and complete removal of the links within the territory of the EU, including geo-blocking.
Both (non-binding) opinions are currently being considered by the Court of Justice, which will make a decision.
Websites that use the Facebook "Like" button are (jointly) responsible for the protection of personal data
An operator of a website who integrates a third-party plug-in, such as the Facebook "Like" button, into his website is responsible, together with that third party, for the processing of personal data collected via the plug-in. This position was put forward by Advocate General Bobek in his opinion of 19 December 2018. According to the AG, this is the case because the website operator contributes to the processing of personal data by simply using the plug-in on his website. The consequence of this ruling is that the website operator must provide the visitors with the required minimum information regarding the data processing involved and, if necessary, obtain their consent before the personal data are collected and passed on to third parties. This, again, is a non-binding opinion on which the Court of Justice will make a decision in the coming months.
New guidelines on the territorial scope of the GDPR
Article 3 GDPR sets out the rules concerning the territorial scope of the regulation and constitutes an important development and extension of the data protection rules compared to Directive 95/46/EC.
Article 3 GDPR defines the territorial scope of the GDPR on the basis of two main criteria: the "establishment criterion" (Article 3(1) GDPR) and the "target criterion" (Article 3(2) GDPR). When one of these two criteria is fulfilled, the provisions of the GDPR apply to the processing of personal data by the controller or processor. The EDPB has recently published guidelines with more explanations and examples of the application of both criteria. These guidelines clarify the boundaries of what is an establishment in the EU and provide some factors for determining whether or not companies established outside the EU target their goods or services at EU data subjects or observe their behaviour. The procedure for appointing a representative in the EU and his/her responsibilities are also further addressed in these guidelines.
More information can be found in the (draft) EDPB guidelines: Guidelines 3/2018 on the territorial scope of the GDPR (Article 3).
Belgian Data Protection Authority clarifies the terms "controller" and "processor
The Data Protection Authority ("DPA") has published a note on its website containing an overview of the terms "controller" and "processor" in the light of the GDPR. It also zoomed in on some specific consequences for liberal professions such as attorneys. In the note, the DPA repeats the principles from previously published guidelines from European data protection authorities. For example, the DPA emphasises that the legal qualification of both concepts requires a factual analysis for each processing activity, whereby responsibilities must be placed with the persons who have an actual influence on the processing operations.
More information about these terms can be found in the DPA's note: Le point sur les notions de responsable de traitement/sous-traitant au regard du Règlement EU 2016/679 sur la protection des données à caractère personnel (RGPD) et quelques applications spécifiques aux professions libérales telles que les avocats (in French).
First GDPR fines issued
The GDPR is not a paper tiger. In recent months, data protection authorities across Europe have started to issue fines. The following actions have been taken in our neighbouring countries:
- In the Netherlands, the Dutch Personal Data Authority ("Autoriteit Persoonsgegevens") imposed a fine of EUR 600,000 on Uber for its late reporting of a personal data breach (Articles 33–34 GDPR).
- The French data protection authority ("CNIL") fined Google EUR 50,000,000 for lack of transparency, insufficient information (Articles 12–13 GDPR) and lack of valid consent (Article 6 GDPR) for the personalisation of its advertisements.
- The German data protection authority ("LfDI Baden-Württemberg") fined a social media company EUR 20,000 for a breach of its data security obligations (Article 32 GDPR).
In Belgium we are still awaiting the first such action by the DPA. The DPA did announce earlier, however, that investigations were already under way.
EDPB 2019/2020 work programme indicates future priorities
In the coming months we can expect more guidelines from the EDPB. From its work programme for the period 2019/2020, it appears that the EDPB will focus, among other things, on connected vehicles, camera surveillance, social media and blockchain technology