The General Data Protection Regulation (GDPR) is constantly evolving, but progress is also being made with regard to the ePrivacy Regulation. This update provides you with an overview of the most important developments of the past quarter.
European Data Protection Supervisor publishes new guidelines on the concepts of controllers, processors and joint controllers
On 7 November 2019, the European Data Protection Supervisor (EDPS) published new guidelines (in English) on the concepts of "controller", "processor" and "joint controllers". Although the guidelines are addressed to the EU institutions and bodies, they are also useful for companies.
The guidelines repeat to a large extent the Article 29 Working Party's Opinion 1/2010 on the concepts of "controller" and "processor". In addition, they explain the impact of new case law of the European Court of Justice (ECJ) (Wirtschaftsakademie and Fashion judgments) and provide new examples and easy-to-use checklists.
Interestingly, these guidelines clarify that a company does not need to have access to personal data in order to be considered as a controller. It is sufficient that it determines the purpose and means of the processing, influences the processing by being able to start (and stop) the processing of personal data or that it receives anonymous statistics based on personal data collected and processed by another company.
European Data Protection Board publishes three new guidelines
- On 8 October 2019, the European Data Protection Board (EDPB) adopted the final text of the guidelines regarding data processing on a contractual basis in the context of the provision of online services (Article 6(1)(b) GDPR – for a discussion of the draft directives, see Eubelius Spotlights June 2019).
- On 12 November 2019, the EDPB published the final guidelines on the territorial scope of the GDPR (Article 3 – see Eubelius Spotlights March 2019 for a discussion of the draft directives). These final guidelines clarify several elements that remained unclear after the publication of the draft guidelines, in particular on (i) the establishment criterion, (ii) the targeting criterion, (iii) processing in a place where Member State law applies by virtue of public international law, and (iv) representatives of controllers or processors who are not established in the EU.
- On 13 November 2019, the EDPB published draft guidelines on data protection obligations by design and by default (Article 25 GDPR). Data protection by design implies that, from the design of products and services that process data onwards, undertakings must take technical and organisational measures to ensure that data protection principles are applied. Data protection by default means that companies should set products and services to be as privacy friendly as possible by default. The guidelines list the main elements for design and default settings on the basis of the basic principles set out in Article 5 GDPR.
European Court of Justice clarifies consent requirements for cookies – is your website still compliant?
On 1 October 2019, the Court of Justice issued an important judgment on consent in the context of cookies. The case concerned a German website, Planet49 GmbH, which organised an online lottery. To participate in the lottery, participants had to provide their name and address and tick/untick two boxes: (i) a first unticked box (opt-in) allowing for third party offers and without which it was not possible to participate in the lottery, and (ii) a pre-ticked box (opt-out) allowing for the placement of cookies.
There are three lessons to be learned from the ECJ’s judgment for companies that set cookies:
- Pre-ticked checkboxes (opt-out) do not provide for legally valid consent under the GDPR or the ePrivacy Directive. Consent requires an unambiguous, and therefore active, expression of the person's will (opt-in).
- Consent must also be given individually for all types of cookies, regardless of whether the cookies collect personal data. A button to consent to providing personal data that simultaneously gives consent for all cookies together is therefore not sufficient.
- The user can only give valid consent if the controller has provided clear and comprehensive information. This information must enable the user to easily assess the consequences of his consent and must include information about the storage period of the cookies (how long the cookies remain active or how this period is determined), and whether third parties have access to the cookie data.
Belgian Data Protection Authority publishes recommendation on protocol obligation
On 18 October 2019, the Belgian Data Protection Authority published a recommendation on the protocol obligation. This obligation follows from article 20 of the Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data (Framework Act). It entails that a federal government that shares personal data with another government or private body must conclude a protocol with that party which includes arrangements for data sharing. In principle, these protocols are concluded individually between the transmitting authority and the recipient(s) and may require some quite extensive drafting work. The DPA opens the door for (i) a model protocol for all receiving controllers that is concluded individually, or (ii) a general protocol that is concluded with a group of similar receiving controllers.
In the meantime, the DPA has taken five new decisions on the merits:
- The DPA recently imposed a fine of EUR 5,000 each on a mayor and an alderman for misuse of personal data during the local elections in October 2018. In both cases, data was used with disregard for the purpose limitation principle (as was also the case in the earlier decision of the DPA – see Eubelius Spotlights June 2019 for a discussion of that decision). The mayor used personal data that he had obtained in his capacity as mayor for his election campaign. The alderman used a client list that he obtained in the context of the profession that he exercised in addition to his mandate as alderman. These decisions illustrate the risk of recycling personal data.
- In September, the DPA decided that the requirement imposed by a merchant of reading an electronic identity card (eID) in order to create a loyalty card is contrary to the GDPR and imposed the (up to now highest) fine of EUR 10,000. The DPA ruled that a mandatory read-out of the identity card does not equate to valid (free) consent.
- The DPA dismissed a complaint filed for alleged incompleteness of a response to an individual's exercise of their right of access. The DPA decided to do so because an investigation by the inspectorate found too little indication that the defendant had made insufficient efforts to respond adequately to the complainant's request. What is interesting about this decision is that, during the investigation, the inspectorate discovered certain irregularities (e.g. an unclear legal basis) which were not the subject of the complaint. For these infringements, the DPA ordered the defendant to bring the processing in line with the GDPR within a period of three months.
- In a fifth decision, the DPA reiterated that a controller must provide an applicant data subject with unambiguous information on the action taken following his/her request within a period of one month. In addition, if the controller does not grant the request, he must explain why the request was not granted. The complaint in this case concerned failure to delete personal data obtained from an application. In this decision, the DPA also found certain irregularities (e.g. an incomplete record of processing activities) which were not the subject of the complaint. The DPA has reprimanded the defendant with regard to these infringements of the GDPR.
Market Court annuls DPA decision on the merits
In Eubelius Spotlights September 2019, we wrote about a reprimand the DPA imposed on FPS Public Health for not replying to a request for access, despite an earlier order to do so (Article 15 GDPR). The Market Court ("Marktenhof"/"Cour des marchés") annulled this decision (in Dutch) on appeal.
According to the Market Court, the decision of the DPA to sanction FPS Public Health was not lawfully justified. Further, the Market Court determined that the DPA is not allowed to express an opinion on the content of an internal or administrative decision. The DPA is only competent to rule on correct compliance with the GDPR and the Belgian privacy legislation. Since the contested decision contained substantive criticism about the functioning of FPS Public Health, there was an exceeding of power which, according to the Market Court, made the decision unlawful.
Recent developments towards the future ePrivacy Regulation
On 8 November 2019, the Council of the European Union (under the Finnish Presidency) published its revised text of the Proposal for a Regulation on Privacy and Electronic Communications ("ePrivacy Regulation"). This text was submitted by the Council to the Committee of Permanent Representatives (COREPER) with a view to reaching a joint draft text.
With this text, it seemed for a moment that progress would finally be made in the search for a compromise on the text of the ePrivacy Regulation. However, on 22 November 2019, COREPER rejected the Council's proposal. The EU Commissioner for the Internal Market, Thierry Breton, announced in a speech on 3 December 2019 that the European Commission may develop a revised proposal with a reworked text of the ePrivacy Regulation as part of the forthcoming Croatian Presidency.
