On 2nd September the EDPB held its 37th Plenary Session, during which it adopted two important documents:
- Guidelines on the concepts of controller and processor in the GDPR – analysed below
- Guidelines on the targeting of social media users.
In addition, the EDPB has set up a taskforce to examine the 101 complaints filed by NYOB following the CJEU Schrems II judgement. Further, a separate taskforce will draft “recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries.”
– EDPB Guidelines on Controllers and Processors –
On 2nd September, the EDPB published its ‘Guidelines 07/2020 on the concepts of controller and processor in the GDPR’. The need for the Guidelines followed considerable uncertainty as to the scope and function of the concepts in the GDPR and as to whether this scope and function differs from that under Directive 95/46. The Guidelines are extensive and provide broad coverage of the concepts in question – as well as their relationship with each other and other relevant principles in the GDPR. Amongst other things, the Guidelines cover: the definitions of ‘controller’, ‘joint controller’, ‘processor’ and ‘third party/recipient’; the relationship between controllers and processors; and the consequences of the attribution of joint controllership. For the most part, the content of the Guidelines will contain few surprises for the European data protection community. Indeed, the Guidelines build extensively on interpretations of the concepts already present under Directive 95/46 – whilst updating these, wherever necessary, to the specifics and novelties of the GDPR. This seems to have been the intention of the EDPB, who explicitly observe: ‘A general observation regarding the concepts of controller and processor in the GDPR is that they have not changed compared to the Directive 95/46/EC and that overall, the criteria for how to attribute the different roles remain the same.’
– AG Bobek Opinion on Civil Law Claims and the GDPR –
On 3rd September Advocate General (AG) Bobek issued his Opinion in a case concerning the interpretation of Article 23(1)(j) GDPR – which allows a restriction to the rights of data subjects to be imposed for the purposes of enforcing civil law claims – and Article 23(1)(e) GDPR – which allows such restrictions to be imposed to protect important public interests such as the financial interests of the State. The referring court posed its question in the framework of insolvency proceedings of a private company and the request for access to tax information held by the tax authorities by the administrator for the insolvency. AG Bobek first concluded that the GDPR is not applicable to the present case. One of the reasons given for the conclusion was that the GDPR does not apply to legal persons. However, as we reported in the previous edition of DPI, in certain Member States the scope of data protection law rationae personae does indeed cover legal persons. Despite this conclusion, AG Bobek decided to nevertheless provide an interpretation of the two provisions, which he read broadly. The AG found that Article 23 (1)(j) GDPR should be deemed to apply to the pursuit of civil law claims by public authorities and not only by private individuals. The AG also found that the provision should apply also to defence against civil law claims, even where the existence of the claims has not yet been established. The AG found that Article 23(1)(e) is not incompatible with provisions in national tax law, according to which information may be withheld “when that information may then be used to bring insolvency avoidance claims against those (tax) authorities”. It remains to be seen what the CJEU will decide. In any case, the AG’s analysis of the substance of the two provisions certainly provide useful guidance for those dealing with the provisions in either practical or academic contexts. It is questionable, however, whether his broad interpretation of the two restrictions is compatible with the general understanding that provisions which may restrict individual rights under the GDPR should be given a narrow interpretation.
– Irish DPC Orders Facebook to Stop Transfers of Data to the US –
According to the Wall Street Journal, the Irish DPC has issued a preliminary order requiring Facebook to cease transfers of personal data from the EU to the US. Information on the order is not yet, however, available from the Irish DPC itself. The order comes on the back of the CJEU Schrems II judgment in which the level of protection provided by the US legal system in relation to EU personal data was found to be problematic. That such orders begin to be issued in the wake of the Schrems II judgement will come as little surprise to many in the European data protection community – they seem a logical consequence of the decision. That such orders have started to be issued, however, raises several interesting issues. It will be interesting to see how many such orders are issued, to whom, from which DPAs and with which consequences for non-compliance. It will also be interesting to look at the content of such orders to see the degree to which they shut down the possibilities of legitimate transfers to EU personal data to the US.
– Privacy International Complaint Dismissed by the ECtHR –
On 3rd of September, the European Court of Human Rights handed down a decision in relation to the application by Privacy International and Others against the UK. The application alleged that the UK had engaged in equipment interference – external interference with computing equipment for the purposes of obtaining information – under Article 7 of the Intelligence Services Act 1994. The applicants complained that: ‘under Articles 8 and 10 [of the ECHR]…the power under section 7 of the Intelligence Services Act 1994 (“ISA”) was not in accordance with the law in the absence of a code of practice governing its use. Moreover, they complained that that section contained no requirement for judicial authorisation; there was no information in the public domain about how it might be used to authorise Equipment Interference; and there was no requirement for filtering to exclude irrelevant material.’ The Court dismissed the application as inadmissible on the grounds that the applicants had not fully exhausted all domestic remedies in their pursuit of justice. As the Court dismissed the application, there was no extensive consideration of the merits of the substance of the case. The Court did note, however, that: ‘[the action] complained of is particularly intrusive and that there is a need for safeguards in this domain’. Whilst this case has been deemed inadmissible, there is no doubt that more cases will be brought concerning state hacking and state surveillance. It seems highly probably that some of these will meet admissibility criteria and that matter will again have its day in court.
– Swiss – US Privacy Shield Declared Inadequate by Swiss DPC –
Following his annual assessment of the Swiss-US Privacy Shield compliance with Swiss data protection law, the Swiss Federal Data Protection and Information Commissioner (FDPIC) concluded that the Privacy Shield does not ensure an adequate level of protection for the rights of individuals whose data is transferred from Switzerland to the USA. The assessment is based on Swiss law, but is influenced by developments within the EU, especially the recent CJEU Schrems II judgement. As a result, the Commissioner has removed the US from the list of third countries considered to provide ‘adequate data protection under certain conditions’. The Commissioner’s assessment, however, does not strike down the Privacy Shield regime, which will continue being valid until revoked. Swiss courts could also rule differently if the Privacy Shield was subjected to a legal challenge. Further, the Commissioner concluded that, in most cases, BCRs and SCCs – such the EU SCCs – are not compatible with requirements in Swiss law concerning transfers of personal data to countries such as the USA. The Commissioner’s conclusion is based on the fact that these mechanisms do not guarantee the applicability of safeguards in Swiss data protection law. Finally, the Swiss DPC recommended that Swiss companies not transfer personal data where safeguards required by Swiss law are not met. The Commissioner’s conclusion demonstrates the ripple effect of the Schrems II judgement beyond the EU as well as the confidence it has given data protection authorities in insisting on compliance with data protection regimes.