– CJEU Adopt Judgment on the Balance between Access to Documents and Data Protection–
On 6th April, the CJEU rendered a judgment in Saure v. the European Commission concerning access to documents held by the Commission on the COVID-19 vaccine contracts with the pharmaceutical industry. As to the facts of the case, the applicant is a German journalist who requested access to all documents in the possession of the Commission concerning the COVID -19 vaccines, relying on Regulation 1049/2001. The applicant received partial access, with the names and contact details of some participants from the industry in steering committee meetings erased from the documents. The Commission argued that the applicant had not motivated why the disclosure of the blacked-out information was necessary. Relying on Article 4(1)(b) of Regulation 1049/2001, it further argued that the disclosure of the names and contact details of the representatives of industry could interfere with their privacy as they might be contacted by outside persons. The applicant sought the annulment of the Commission decision. The Court started by examining the admissibility of the request. It noted that the disclosure of the requested data should be examined also in light of Regulation 2018/1725 – the data protection framework applicable to the data processing by the EU institutions, bodies and agencies – and in particular Article 9(1)(b) thereof, which requires that, for the disclosure of data beyond EU entities, ‘the recipient establishes that it is necessary to have the data transmitted for a specific purpose in the public interest and the controller, where there is any reason to assume that the data subject’s legitimate interests might be prejudiced, establishes that it is proportionate to transmit the personal data for that specific purpose after having demonstrably weighed the various competing interests.’ The Court disagreed with the two arguments presented by the applicant in favour of the disclosure. It was not convinced by the first argument that the disclosure could contribute to national security and public order under Article 8(2) ECHR. As to the second argument, relying on the right to information under Article 10 ECHR – the disclosure was argued to contribute to transparency, democracy, and preventing the spread of fake news – the Court was not convinced that the disclosure of the requested data was the only possible measure, and an appropriate measure, which could achieve this purpose. It concluded that the first requirement of Article 9(1)(b) Regulation 2018/1725 (public interest) was not fulfilled and that, because of this, the second requirement in Article 9(1)(b) (proportionality) could not be examined, and therefore the Commission’s refusal is legitimate under Article 4(1)(b) Regulation 1049/2001. The Court thus ruled that the application should be rejected as unfounded. We note that, whereas the Court pays great attention to data and private life protection, the judgment raises the question as to how far journalists should be expected to convincingly prove that their legitimate purpose can be achieved only through the requested personal data disclosure, without the burdens associated with proof themselves interfering disproportionately with journalistic freedom. Since the Court did not engage in balancing of the competing interests in casu, this essential question remains open.
– Council and Parliament Reach Provisional Agreement on the DSA –
On 23rd April, the Council and Parliament reached a ‘provisional political agreement…on the Digital Services Act (DSA)’. According to the Council: ‘The DSA follows the principle that what is illegal offline must also be illegal online. It aims to protect the digital space against the spread of illegal content, and to ensure the protection of users’ fundamental rights’. In terms of scope, the agreed Act: ‘will apply to all online intermediaries providing services in the EU’. In terms of content, the agreed Act includes a range of interesting provisions and approaches, including, amongst others ‘an obligation for very large digital platforms and services to analyse systemic risks they create and to carry out risk reduction analysis’ and a prohibition on ‘misleading interfaces known as ‘dark patterns’ and practices aimed at misleading users’. The provisional agreement will now be subject to final agreement by the Council and Parliament. The Act is highly significant for the development of the digital society and should be of significant interest to the data protection community.
– EDPB Issues Statement Concerning the Negotiations on the New Trans-Atlantic Privacy Framework–
On 6th April, the EDPS adopted ‘Statement 01/2022 on the announcement of an agreement in principle on a new Trans-Atlantic Data Privacy Framework’. In the Statement, the EDPB ‘welcomes the announcement of a political agreement in principle’ and the fact that the USA authorities commit to a high level of protection of the personal data of individuals in the European Economic Area (EEA). The EDPB explicitly states that it will examine the concrete legislative proposals resulting from this agreement, especially their compliance with the CJEU judgments on international transfers, and will issue an Opinion as soon as the Commission has shared with them any draft proposals. A special focus of the Opinion will be the necessity and proportionality of the processing of personal data for national security purposes and the (judicial) redress mechanisms available to the concerned individuals in the EEA. Finally, the EDPB recalls that the political agreement as such does not constitute a legal basis for the transfers of data.
– EDPS Issues 2021 Annual Report–
On 20th April, the EDPS published the EDPS Annual Report for 2021. The report provides a detailed account of the different activities in which the EDPS engaged in 2021. Those who would like to take a quick look at the report might jump to Chapter II, where the highlights across topics, types of actions, communication and administrative matters are summarized. Readers who wish to have a more detailed look at specific topics will find these in the following Chapters. More precisely, Chapter III is dedicated to Supervision and Enforcement. It focuses especially on international transfers, COVID-19, complaints, audits and investigations. Chapter IV deals with the supervision of the AFSJ and provides an account of the actions taken per institution (Europol, Eurojust, Frontex, EPPO) and in relation to the large-scale information systems. Chapter V looks at the EDPS’ work in relation to ‘Technology and Privacy’ – e.g. data breaches and cybersecurity. Chapter VI summarizes the work performed in relation to legislative consultations. Chapter VII is dedicated to the EDPS contributions to the work of the EDPB. Chapter VIII provides an overview of the international cooperation in which the EDPS has been engaged. The report also focuses on the following topics: ‘Cooperation with civil society’ (Chapter IX), ‘Transparency and access to documents’ (Chapter X), ‘The EDPS’ communication activities’ (Chapter XI), ‘Human resources, budget and administration’ (Chapter XII) and ‘The EDPS’ Data Protection Officer’ (Chapter XIII).
– CNIL Decides to Fine Dedalus Biology 1.5 Million for Breaches of GDPR –
On 15th April, the CNIL decided to fine the company Dedalus Biology 1.5 Million Euros for breaches of the GDPR. Earlier this year, a large data-leak was revealed, in which 500,000 people had data about them revealed on the internet – including data concerning medical information. In relation to the investigation of this breach, the CNIL found that the company – which is involved in the marketing of software solutions for medical analysis laboratories – had breached a number of provisions elaborated in the GDPR. These include: i) the obligation for the processor to follow the controller’s instructions (Art. 29 GDPR) – including the collection of more data than necessary to execute tasks requested by certain customers; ii) the lack of adequate security measures (Art 32 GDPR) – including the lack of encryption measures in relation to relevant data storage systems; and iii) the lack of an adequate formal agreement with controllers concerning the processing undertaken (Article 28(3) GDPR) – including the lack of provision of information as required in Article 28(3). The size of the fine was calculated considering the gravity of the infringements as well as the turnover of the company. Unfortunately, at the time of writing, information on the decision was available from the CNIL only in French. The authors are not fluent French speakers and have relied on an electronic translation of the CNIL’s press release to produce this report. Whilst this is not ideal, the authors found the decision interesting and worthy of discussion and thus made the decision to include the decision in this news-letter. Unfortunately, the authors cannot rule out the possibility that errors were made in translation or that these errors were reproduced in this report. Accordingly, the authors urge all readers interested in the decision to consult the primary materials themselves.
– Dutch DPA Fines Tax Authorities 3.7 Million for Breaches of GDPR –
On 12th April, the Dutch DPA announced its decision to fine the Dutch Tax Authorities 3.7 Million Euros for breaches of the GDPR. This is the highest fine ever to have been imposed by the DPA. The fine relates to several years of illegal processing linked to the the Tax Authorities’ use of the Fraud Signalling Facility (FSV) – a blacklist including records of fraud, which has been disabled since February 2020. In this regard, a number of infringements contributed to the fine, including: i) the lack of legal basis for processing; ii) the lack of specific advance definition of purpose; iii) the inclusion of incorrect personal data; iv) the excessive duration of retention of information; v) inadequate security measures; and vi) asking the DPO for advice on considering risks only after a year. The DPA also highlight that the Tax Authorities’ internal investigation revealed discriminatory practices. In determining the size of the fine, the Dutch DPA considered a number of factors, including the gravity of the infringements, the numbers of individuals impacted, the duration of the infringements and the history of relevant infringements. Unfortunately, at the time of writing, information on the decision was available from the Dutch DPA only in Dutch. The authors are not fluent Dutch speakers and have relied on an electronic translation of the DPA’s press release to produce this report. Whilst this is not ideal, the authors found the decision interesting and worthy of discussion and thus made the decision to include the decision in this news-letter. Unfortunately, the authors cannot rule out the possibility that errors were made in translation or that these errors were reproduced in this report. Accordingly, the authors urge all readers interested in the decision to consult the primary materials themselves.