Data Protection Insider, Issue 76

EDPB Accor SA Dispute Resolution Decision Published

On 17th August, the EDPB published a dispute resolution decision, concerning a dispute between the French and the Polish DPAs concerning the fine to be imposed on Accor SA. The fine was imposed in response to breaches of the provisions on the right of access to one’s data and the right to object to marketing communication. In its decision, the EDPB recommended to the Lead Supervisory Authority – the French CNIL – to increase the fine in order to make it more ‘dissuasive’, taking into consideration Accor SA’s 2021 turnover. It did not agree with the Polish DPA’s request that the decrease in Accor SA’s turnover, or in other words – ‘the impact of the fine on ACCOR SA’s economic viability’ – has to be taken into account, as the turnover is already a factor in calculating the fine. Following the decision, the CNIL now has to re-calculate the fine. The full text of the decision can be found on EDPB’s website.

Czech Presidency Proposal on Data Act

According to Euractiv, the Czech presidency of the EU Council has proposed a ‘partial compromise’ concerning Chapter V of the Data Act – concerning the conditions under which privately held data might be accessed by public authorities. The compromise includes changes to both the scope and substance of the Chapter. According to Euractiv, proposed changes include, amongst others: the name of the Chapter – which now limits the scope to specific EU Institutions; the clarification of certain concepts – including the concept of exceptional need; and the conditions relevant to public authority access – including concerning personal data; According to Euractiv, the proposed compromise will be discussed on 5th September by the Telecom Working Party – the Council body responsible for the file.

 

Norwegian DPA Pushes for a Stop on Facebook Data Transfers

On 22nd August, Politico reported on the Norwegian DPA’s hard stance on blocking the future transfers of personal data by Facebook to the USA by imposing dissuasive fines. According to Politico, in essence, the DPA seeks the implementation and enforcement of the Schrems II ruling. Their comments come in response to the draft decision adopted by the Irish DPC in July which orders Meta/Facebook to stop transferring data to the USA on the basis of Standard Contractual Clauses (SCCs). Whereas the Irish DPC seeks to block the data transfers, it does not mention imposing a fine, which the Norwegian DPA pushes for in order to sanction the US giant for its past violations of the GDPR. As Politico mentions, the final decision of the Irish DPC might still take months and in the meantime a new Commission adequacy decision might be adopted in 2023, which might enable the transfers of personal data from the EU to the USA and which may be relied on by Facebook in the future instead of SCCs.

Über

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Hinterlasse eine Antwort