On 22nd November, the CJEU invalidated a provision in the Anti-Money Laundering and Terrorist Financing Directive in the Joined Cases WM and Sovim SA v Luxembourg Business Registers, because it is not compatible with the EU data protection framework. As to the facts of the case, the applicants had submitted a request with the Luxembourg Business Registers so that the information concerning the beneficial ownership of companies they owned, including the personal data of the owners, be disclosed only to those entities mentioned in Luxembourgish law, which we understand implements the EU Anti-Money Laundering and Terrorist Financing Directive. In other words, they did not want the data to be accessible to the general public, because that information could place the applicants and their families at risk. Their requests were turned down. In subsequent procedures challenging the decision, the national courts, relying on the preliminary ruling procedure, raised questions about the compliance of the provisions with the GDPR and Articles 7 and 8 CFREU. In its ruling, the CJEU noted that ‘the general public’s access to information on beneficial ownership, provided for in Article 30(5) of Directive 2015/849 as amended, constitutes (a serious) interference with the rights guaranteed in Articles 7 and 8 of the Charter.’ Following this, it first examined whether the interference complies with Article 52(1) CFREU. It noted that the Directive provides a legal basis for the interference. Second, as to the objective of general interest, the Court found that ‘by providing for the general public’s access to information on beneficial ownership, the EU legislature seeks to prevent money laundering and terrorist financing by creating, by means of increased transparency, an environment less likely to be used for those purposes.’ Third, on appropriateness, necessity and proportionality, the Court ruled that the publication of the contested information is appropriate to attaining the objective of general interest. However, as to the requirement on strict necessity, the Court ruled that this was not demonstrated in casu – e.g. because it did not accept the Commission’s argument that it is difficult to define ‘legitimate interest’ in order to restrict access to those entities which have demonstrated legitimate interest in obtaining information on the beneficiaries (which was the rule with the previous version of the contested Directive). Finally, the Court established that the interference was not proportionate, inter alia, because the Directive did not specify exhaustively which personal data may be disclosed to the general public and ‘the regime introduced by Directive 2018/843, providing for the general public’s access to information on beneficial ownership, amounts to a considerably more serious interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter, without that increased interference being capable of being offset by any benefits which might result from the latter regime as compared against the former regime, in terms of combating money laundering and terrorist financing (…).’ On these grounds, the contested provision of the Directive was invalidated.
– Political Agreement on E-Evidence Reached –
On 29th November, a ‘provisional political agreement’ was ‘reached…by the European Parliament and the Council on the new rules for sharing of e-evidence across the EU’. The legislation in question includes: i) ‘The Regulation on European Production and Preservation Orders’ which ‘seeks to adapt cooperation mechanisms to the digital age, giving the judiciary and law enforcement tools to address the way criminals communicate today, and to counter modern forms of criminality’; and ii) ‘The Directive on the appointment of legal representatives for the gathering of electronic evidence’ which aims to harmonize ‘rules on appointment of legal representatives or designated establishments’. Moving forward, the provisional agreement ‘will lead to the formal adoption of a Directive and a Regulation…Once published in the Official Journal, the Regulation will enter into force 20 days after publication…and shall enter into application three years after that. The Directive will enter into force 20 days after publication and Member States will then need to transpose the new elements of the Directive into national law within two and a half years.’ According to the Commission’s press release, the new legislation will ‘ensure reliable, transparent, and swift exchange of e-Evidence with a high level of protection’.
– German DSK Evaluation of Microsoft 365 –
On 25th November, the German Datenschutzkonferenz (DSK) published a summary of an evaluation of Microsoft 365. The evaluation concerns revisions made to Microsoft’s set of processor terms and conditions (‘„Datenschutznachtrag zu den Produkten und Services von Microsoft“…: „Datenschutznachtrag“)’. The revisions in question followed an initial problematic evaluation of Microsoft 365 in 2020, and a subsequent round of discussions with a Working Group involving several German DPAs. Whilst the Datenschutznachtrag does indeed contain certain changes in relation to the points highlighted in the initial evaluation and discussed with the Working Group, the new evaluation highlights there are still outstanding issues concerning compliance with data protection law. Points discussed in the new evaluation include, for example: the ‘Determination of the nature and purpose of processing and type of personal data’; ‘Microsoft’s own responsibility in the context of processing “for legitimate business purposes”’; the ‘Implementation of technical and organizational measures according to Art. 32 DSGVO’; the ‘Deletion and return of personal data’; and ‘Data transfers to third countries’. The evaluation should be interesting for all following the Microsoft 365 saga, as well as for all interested in data protection and the operation of software giants. Unfortunately, at the time of writing, information regarding the evaluation appears to be available only in German.
– German DSK Provides Orientation Concerning Research with Health Data –
According to a press release, the German Datenschutzkonferenz (DSK) ‘considers requirements for the scientific processing of health data at its 104th conference’ – which took place between 22nd and 24th November in Bonn. The Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) highlighted the importance of ‘transparent and comprehensible rules…the best legal and technical protection for data subjects…advice and monitoring by…data protection supervisory authorities’ and ‘legal regulation of research secrecy’. Further, according to the press release: ‘For the DSK, the basic guarantees and measures also include the issues of encryption and pseudonymization of data by a trusted body, as well as the earliest possible anonymization, as, when using anonymous data sets, researchers can make extensive use of data. A central register directory and a central coordinating body with a guiding function are also among the requirements of the DSK. Overall, the principle should apply that the more extensively and specifically data can be used, the greater the protection of the data subjects through suitable guarantees and measures.’ Unfortunately, at the time of writing, information appears to be available only in German.
– Irish DPC Fines Meta €265 million –
The Irish DPC started an inquiry into Meta Platforms in the spring of 2021 on the basis ‘of media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet. The scope of the inquiry concerned an examination and assessment of Facebook Search, Facebook Messenger Contact Importer and Instagram Contact Importer tools in relation to processing carried out by Meta Platforms Ireland Limited (‘MPIL’) during the period between 25 May 2018 and September 2019.’ The Irish DPC established deficiencies with regard to the implementation of adequate technical and organisational measures, which are required by Article 25 GDPR. The fine and the compliance order resulted after the Irish DPC – the Lead Supervisory Authority (LSA) – followed the consistency mechanism under the GDPR, in which all other European DPAs were involved.
– EDPB Holds 72nd Plenary Meeting –
On 5th December, the EDPB held its 72nd plenary Meeting. From the Agenda of the meeting, it becomes clear that the EDPB focused on the consistency mechanism and discussed, amongst others, the following points:
- ‘Decision on the dispute arisen on the draft decision of the Irish Supervisory Authority on Meta Platforms Ireland Limited and its Facebook service ( Art. 65(1)(a) GDPR)’;
- ‘Decision on the dispute arisen on the draft decision of the Irish Supervisory Authority on Meta Platforms Ireland Limited and its Instagram service (Art. 65(1)(a) GDPR)’;
- ‘Decision on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland Limited (Art. 65(1)(a) GDPR)’.