On 14th September, the EDPB held its 38th Plenary Session. There have been no official announcements concerning the proceedings or outcomes of the session on the EDPB’s website. The agenda for the session, however, indicates the following significant matters, amongst others, were discussed:
- ‘Information regarding the exchange of views with the LIBE Committee on the recent CJEU Schrems II judgment’;
- ‘WSJ recent press article – Sharing information on salient topics escalated in public sphere’ (we presume the article referred to is that published on September 9th 2020 concerning the Irish DPC and Facebook);
- ‘Task force 101 complaints’ (we presume this refers to the 101 complaints filed by NOYB concerning international data flows – see also the story on noyb’s complaints below);
- The work of the Enforcement Expert Subgroup on a ‘Coordinated Enforcement Framework’ and on the ‘Exchange of Information in Relevant Cases’;
- The work of the Cooperation Expert Subgroup on ‘Administrative cooperation between EU and Supervisory Authorities in third countries’.
– European Commission Publishes ‘Ethics of Connected and Automated Vehicles’ –
The European Commission has just published the Expert Group report ‘Ethics of Connected and Automated Vehicles: Recommendations on road safety, privacy, fairness, explainability and responsibility’. The report aims to ‘promote a safe and responsible transition to connected and automated vehicles (CAVs) by supporting stakeholders in the systematic inclusion of ethical considerations in the development and regulation of CAVs’. Of particular interest to the privacy and data protection community will be the two chapters of the report on ‘Data and Algorithm Ethics: Privacy, Fairness, Explainability’ and on ‘Responsibility’. The report promotes a number of logical recommendations concerning CAVs, including that: ‘agile and continuous consent’ approaches to consent for CAVs be introduced – especially in light of the volume and variety of data collected; [p]olicymakers, with assistance from researchers, should develop legal guidelines that protect individuals’ rights at group levels (e.g driver, pedestrian, passenger or other drivers’ rights) and should outline strategies to resolve possible conflicts between data subjects that have claims over the same data’; there is a need to ‘develop transparency strategies to inform users and pedestrians about data collection and associated rights’; and ‘CAVs should be designed and operated in ways that neither discriminate against individuals or groups of users, nor create or reinforce large-scale social inequalities among users’. Whether, and to which degree, the recommendations in the report are pursued by policymakers, remains to be seen.
– CNIL Guidance on the Processing of Employee Data During COVID-19 –
On 23rd September the CNIL released guidelines to employers concerning compliance with the GDPR regarding the monitoring of employees’ health during the COVID-19 crisis. The guidance goes into detail with regard to the following four issues: measuring employee temperature upon entry into the workspace; carrying out serological tests and sending health questionnaires to the employees; work re-organisation via the usage of software; and data processing in the framework of the work continuation plan. The CNIL emphasizes, in particular, that whereas employers may process health related data in the context of the current crisis under the current legal framework, the limits imposed by the GDPR have to be respected – e.g. the principle of data minimisation in relation to the amount of (health) data an employer may collect – and reminds employers that health data are sensitive data, whose processing should remain an exception. It is positive that data protection supervisory authorities keep reminding controllers of the need for compliance with the GDPR whilst highlighting the possibilities for processing personal data in the context of the pandemic. This demonstrates the flexibility of the GDPR as an instrument which strikes a fair balance between data protection and other societal interests.
– Swiss Data Protection Law Adjusted toward the GDPR –
Last week, the Swiss Parliament passed a new law concerning the total revision of the Swiss Federal Data Protection Law. In short, the new law seeks to adapt the existing Swiss legislation on data protection in the private and public sectors toward the approach of the EU data protection framework. Some have noted, however, that the new law does contain significant differences to the GDPR and LED. These differences include weaker provisions on consent as well as the ease with which personal data may be transferred to foreign authorities. They further argue that the provision on restricting the processing of non-personal data, e.g. for statistical purposes, is more strictly regulated. The new Data Protection Act is supposed to come into effect in 2022. The Swiss Data Protection Commissioner has expressed support for the new law and will published a more detailed review after the referendum. The new Swiss law proves once again that EU data protection standards have an influence on third countries.
– noyb Complaints Receive Limited Response –
In August of this year, the NGO noyb filed 101 complaints ‘against several companies based in the EU/EEA because they continue to use Google Analytics and Facebook Connect on their websites – thereby transferring personal data to Google and Facebook in the US.’ On 22nd September, noyb followed up on the progress of these complaints and informed the public that there has been ‘[h]ardly any reaction from the companies concerned’. In fact, it seems that ‘only two companies and one university have contacted noyb – all of them based in Liechtenstein.’ It is interesting that NOYB has received so little response from the companies involved. This lack of response will also become more interesting as time goes on and as the complaints progress. What would be more interesting to know, however, is the reason that companies have not responded. Are they simply ignoring the CJEU Schrems II decision and hoping the limitations the case puts on international data flows will somehow disappear? Are they hoping that the limitations placed by the case will, over time, begin to be ignored by the relevant authorities? Are they hoping for further guidance will appear which will allow them to adapt existing practises and legally continue with existing transfers – for example forthcoming guidance from the EDPB concerning safeguards and bilateral agreements? Or are they working to find alternative solutions and adapting practices in line with the case before making their actions public? Further research into such questions would be most welcome.
– RTB Complaint to the Irish DPC –
On 21st September Johnny Ryan of the Irish Council for Civil Liberties made a submission to the Irish DPC – following up on his complaint with the same authority from two years ago –
concerning the data protection breaches which occur in the framework of real-time bidding (RTB). The complaint focuses of the fact that, through the data disclosed to companies via RTB, a large quantity of sensitive information is collected on internet users which is then used to influence our behaviour in different contexts. We note that the submission is significant for two reasons. First, it adds momentum to the scrutiny of the topic of data protection breaches or risks posed by RTB is gaining. Second, the submission contains very interesting technical and factual information for researchers and policymakers concerning how RTB actually functions and how its practices are at odds with the GDPR.