– CJEU Rules in Meta Platforms Ireland –
On 28th April, the CJEU ruled in the case of Meta Platforms Ireland Limited, formerly Facebook Ireland Limited, v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.. The issue in question related, in essence, to the standing of a German consumer protection organisation to bring proceedings against Meta under the GDPR. In this regard, the referring Court posed the following question to the CJEU: ‘Do the rules in Chapter VIII, in particular in Article 80(1) and (2) and Article 84(1), of [the GDPR] preclude national rules which – alongside the powers of intervention of the supervisory authorities responsible for monitoring and enforcing the Regulation and the options for legal redress for data subjects – empower, on the one hand, competitors and, on the other, associations, entities and chambers entitled under national law, to bring proceedings for breaches of [the GDPR], independently of the infringement of specific rights of individual data subjects and without being mandated to do so by a data subject, against [the person responsible for that infringement] before the civil courts on the basis of the prohibition of unfair commercial practices or breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions?’ In summary, the CJEU considered that: ‘the answer to the question referred is that Article 80(2) of the GDPR must be interpreted as not precluding national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data, on the basis of the infringement of the prohibition of unfair commercial practices, a breach of a consumer protection law or the prohibition of the use of invalid general terms and conditions, where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.’ The case seems likely to be welcome news for data protection advocates, as the CJEU appears to employ a wide understanding of representative standing, as well as of the possibility for action through consumer protection for infringements of data protection rules.
– EDPB and EDPS Publish Opinion on Data Act –
On 4th May, the EDPB and the EDPS published the ‘EDPB-EDPS Joint Opinion 2/2022 on the Proposal of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act)’. In principle, the EDPB and EDPS ‘welcome [that] it is explicitly mentioned that the Proposal complements and is without prejudice to Union law on data protection and privacy, in particular GDPR and e-Privacy Directive.’ However, they also highlight that ‘the Proposal…raises several concerns regarding the protection of the fundamental rights to privacy and the protection of personal data’. In this regard, the EDPB and EDPS go on to highlight a number of issues they see with the proposal. These include general issues, including the possibility ‘that the Proposal in its current text would extensively push a development towards “commodification” of personal data, whereby personal data are seen as a mere tradeable commodity [which] would not only undermine the very concept of human dignity and the human-centric approach the EU wants to uphold in its Data Strategy, but it would also risk undermining the rights to privacy and data protection as fundamental rights’. These also include more specific comments relating to: ‘Interplay of the Proposal with EU data protection laws’; ‘Interplay of the Proposal with DMA and DGA’; ‘General provisions (Chapter I of the Proposal)’; ‘Business to consumer and business to business data sharing (Chapter II of the Proposal)’; ‘Business to consumer and business to business data sharing (Chapter II of the Proposal)’; ‘Obligations for data holders legally obliged to make data available and terms related to data access and use between enterprises (Chapter III and IV of the Proposal)’; ‘Access to and use of data by public sector bodies and Union institutions, Agencies or Bodies (Chapter V)’; ‘International contexts non-personal data safeguards (Chapter VII of the Proposal)’; and ‘Implementation and enforcement (Chapter IX of the Proposal)’. The Data Act is an important aspect of the Data Strategy and may have significant impact on how data is used in Europe. The Opinion constitutes a detailed look at the deficiencies of the current proposal from a data protection perspective and should be read by anyone interested in data flows, data economies and data protection.
– Commission Launches European Health Data Space –
On 3rd May, the Commission announced the launch of the European Health Data Space (EHDS). According to the Commission, the EHDS will facilitate: ‘a genuine single market for digital health services and products…[and provide] a consistent, trustworthy and efficient framework to use health data for research, innovation, policy-making and regulatory activities, while ensuring full compliance with the EU’s high data protection standards.’ The launch of the EDHS comes on the back of recognition that: ‘the complexity of rules, structures and processes across Member States makes it difficult to access and share health data, especially cross-border [and i]n addition, health systems are now the target of increasing cyberattacks.’ The proposal for the EDHS tabled by the Commission will now be discussed by the Council and the Parliament. The proposals will be relevant to all in the data protection community with an interest in the processing and exchange of health data.
– AG Opinion on Data Protection in the Electronic Communications Sector –
On 28th April, Advocate General Collins delivered an Opinion on the preliminary ruling questions in Proximus NV v Gegevensbeschermingsautoriteit. As to the facts of the case, the applicant is a user of the telephone services offered by Telenet. Telenet provides the data of its subscribers to providers of public directories such as Proximus. When concluding the contract with Telenet, the applicant contacted Proximus to inform them that they did not wish their contact details to be published in any public directory and Proximus noted this in its systems. Three days later, Telenet transferred the data of its new subscribers to Proximus without indicating that the applicant’s data should not be included in the public directories. Several months later the applicant discovered their contact information in the public directories and re-contacted Proximus, which assured them that the data would be deleted. At the same time, the applicant filed a complaint with the Belgian DPA, which ordered Proximus to comply with the applicant’s withdrawal of consent and erasure request. Proximus challenged the DPA’s decision in court. The Brussels Court of Appeal sent four questions for preliminary ruling, which concern the interpretation of the consent requirement in data protection law, the right to be forgotten in Article 17 GDPR, the powers of the DPA to issue orders in relation to these two provisions and the interplay between the GDPR and the e-Privacy Directive. First, according to the AG, when it comes to consent, the GDPR requirements on consent are applicable in the framework of the e-Privacy Directive. Furthermore, he argued that the consent has to be obtained by the party which processes the data for the purpose in question (ie Proximus), unless consent has been obtained by another controller for the processing of the data for the same purpose (in casu Telenet, which, to our understanding, had not collected the applicant’s consent). Second, as to the question of erasure, the AG noted that once consent for the publication is withdrawn, Article 17 GDPR on the right to erasure becomes applicable. Third, the AG suggested that Proximus, as a controller for the publication of the data in its own directories, was responsible for communicating the withdrawal of consent to other controllers – eg other directories and Telenet. He derived this from the obligation in Article 12 (2) GDPR for the controller to facilitate the exercise of data subjects’ rights and the accountability obligations of the controller in Article 5(2) and 24 GDPR. Finally, according to the AG, Article 17(2) GDPR does not preclude a DPA from ordering the controller (in casu Proximus) from ‘tak[ing] reasonable steps … to inform’ other controllers such as search engines like Google about the withdrawal of consent. Especially in view of the predominant market share of Google as a search engine, the AG concluded that this obligation remains even where the controller is not entirely certain that the search engine obtained the data in question from their directory: ‘Allowing controllers to evade responsibility for processing personal data on the basis of a possibility that the data in question had not been obtained from them would render any obligation in that regard ineffective in the many circumstances where data are linked or copied on the internet. Such an approach might even provide a perverse incentive to disseminate data in order to avoid being subject to that obligation.’ Whereas it remains to be seen whether the Court will follow the Opinion, we note that the interpretations given by the AG to the questions on consent and the right to erasure, and the relationship between the GDPR and the e-Privacy Directive, will hardly be surprising to those familiar with EU data protection law.
– EDPB Issues Statement on Enforcement Cooperation –
On 28th April, the EDPB issued a statement on how it will proceed in enforcement cooperation cases. According to the statement, the EDPB will focus on the following six measures to enhance its cooperation in cross-border cases: (i) ‘collectively identify[ing] cross border cases of strategic importance in different Member States on a regular basis, for which cooperation will be prioritised and supported by EDPB’; (ii) seeking alignment of ‘specific legal issues on matters of general application’; (iii) ‘further exchanging information on national enforcement strategies with a view to agreeing on annual enforcement priorities at EDPB level’; (iv) generally improving the communication between DPAs – e.g. improvements to technical tools and the adoption of templates for data subject rights requests; (v) proposing harmonisation of procedural law aspects which are relevant for the enforcement of the GDPR; (vi) embedding DPAs and the GDPR in the new structures that will emerge from initiatives such as the upcoming AI Act, the Data Governance Act, Data Act, Digital Services Act and Digital Market Act.
– EDPS Pilots Two Social Media Platforms –
On 28th April, the EDPS started the public pilots of two new social media platforms ‘EU Voice’ and ‘EU Medium’. The pilot allows EU institutions, bodies and agencies to share textual, visual, audio and video content via these platforms. By setting up these EU platforms the EDPS mainly aims to increase digital sovereignty and to achieve a high level of data protection: ‘The two platforms are part of decentralised, free and open-source social media networks that connect users in a privacy-oriented environment, based on Mastodon and PeerTube software. By launching the pilot phase of EU Voice and EU Video, the EDPS aims to contribute to the European Union’s strategy for data and digital sovereignty to foster Europe’s independence in the digital world.’ The EDPS will gather feedback from the participating EU entities and hopes that the launch of the two platforms ‘will
mark a ontinuity in the use of privacy-compliant social media platforms.’