Data Protection Insider, Issue 38

– EDPB Adopts Documents During 42nd and 43rd Plenary Sessions

The EDPB held its 42nd and 43rd Plenary Sessions at the end of 2020. During these two sessions the EDPB adopted the following documents:

  • ‘Statement on the future ePrivacy Regulation’;
  • ‘EDPB Strategy 2021-2023’;
  • ‘EDPB Document on Terms of Reference of the EDPB Support Pool of Experts’;
  • ‘Statement on the end of the Brexit transition period’;
  • ‘Information note on data transfers under the GDPR after the Brexit transition period’;
  • ‘Guidelines on restrictions of data subject rights under Article 23 GDPR – version for public consultation’;
  • ‘Guidelines on the interplay of the Second Payment Services Directive (PSD2) and the GDPR (following public consultation)’;
  • ‘Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies (following public consultation)’;
  • ‘Statement on the protection of personal data processed in relation with the prevention of money laundering and terrorist financing’;
  • ‘Article 64 Opinion on the draft decision regarding Equinix’s Controller BCRs’.

The documents are already available for consultation on the EDPB website.

 

– Močuļskis v Latvia: Seizing a Lawyer’s Tablet in breach of Article 8 ECHR –

On 17th December 2020 the ECtHR ruled in the case of Močuļskis v Latvia on the question of the legitimacy of searching and seizing a lawyer’s tablet in the course of criminal proceedings against the lawyer and one of his clients. According to the facts of the case, the applicant is a lawyer, defending, amongst others, a person suspected of being involved in trafficking in human beings. After taking over the case, and while the client was being held in custody, e-mail accounts containing important information for the investigation of the crime were deleted and blocked from an IP address identified to belong to the applicant. Thus, the applicant became a suspect in the crime of concealing information relevant to a serious crime. Following this, the police, acting upon an arrest warrant, seized and searched the lawyer’s tablet in order to look for evidence concerning both crimes. The applicant complained that the seizure of his tablet, which contained privileged information, was disproportionate and breached Article 8 ECHR. The Court ruled that the measure – i.e. the search warrant – was compliant with domestic law and pursued a legitimate aim. The Court ruled, however, that the measure was “not necessary in a democratic society”. Whereas the search warrant was based on reasonable doubt and its scope was sufficiently clear, its execution was not accompanied by “adequate and effective safeguards against abuse”. The Court emphasized that the search was not accompanied by safeguards against accessing and copying information protected by the professional secrecy of the lawyer-client relationship – e.g. by having an independent observer who could identify documents protected by professional secrecy or by prohibiting the removal of content protected by such secrecy. The Court noted that “(f)urthermore, there was no possibility of having an investigating judge decide whether or not particular material could be used by the investigation if the applicant had objected to such use on the grounds of professional confidentiality” In addition, the tablet was ordered to be retained until the criminal proceedings were concluded and thus the tablet was not returned to the lawyer, disregarding both the professional secrecy requirements and questions as to whether all the information stored on it was necessary for the proceedings in question. We note that, whereas the decision in the case is straightforward and unsurprising, it is positive that the Court is adhering to and developing the case law concerning the need, in search and seizure operations, to distinguish information relevant for criminal investigations while also protecting professional secrecy requirements – a thin line indeed when a lawyer is both a lawyer and a suspect at the same time.

 

– Brexit Deal and International Data Transfers

The EU and the UK signed a trade and cooperation agreement – the Brexit deal – on 30th December 2020. The agreement ends the transition period between the two jurisdictions, which had been put in place following the UK’s departure from the EU and during which existing rules on the EU and UK’s relationship remained applicable. Technically, from the perspective of EU data protection law, the UK is now a third country for which no adequacy decision exists. The EU continue to work on an adequacy agreement to facilitate transfers between the EU and the UK. In order to mitigate the potentially significant consequences of the fact that the UK is now a third country with no adequacy decision, however, the trade and cooperation agreement permits the ongoing free exchange of personal data between the two jurisdictions – as if the UK were adequate – following the end of the transition period: the EU-UK data bridge. The bridge will last for up to six months within which time a decision on UK adequacy should be made. During the period of operation of the bridge, the UK cannot change its data protection laws – i.e. the GDPR and the UK DPA 2018 will continue to apply. Whether the UK will eventually receive adequate status remains – as discussed in previous issues of Data Protection Insider – uncertain.

 

– Europol to Get a Stronger Mandate and New Data Protection Regime

On 9th December 2020 the European Commission tabled two new legislative proposals for amending the regulatory framework for Europol. The proposals pursue the following 9 objectives: (1) allowing Europol to enter alerts in the Schengen Information System with respect to Third-Country Nationals suspected of being involved in a crime for which Europol is competent; (2) enabling Europol to cooperate with private parties, e.g. electronic communication service providers; (3) helping national law enforcement authorities analyse big data; (4) boosting up Europol’s research and innovation activities; (5) allowing Europol to cooperate with Third Countries on a case-by-case basis in specific situations within Europol’s mandate; (6) vesting Europol with the power to request national law enforcement authorities to open criminal investigations where the crime concerns Union policies, even where it does not have a cross-border dimension; (7) strengthening its cooperation with the European Public Prosecutor’s Office; (8) strengthening Europol’s parliamentary oversight and accountability; and (9) strengthening its data protection regime by aligning it with the provisions of Regulation 2018/1725 on data protection for the EU institutions, agencies and bodies. We note that the proposed amendments, if they go through in their proposed shape, would imply broad changes to Europol’s powers. The proposals will strengthen Europol’s executive powers and will turn it into a more significant information hub – further blurring the lines between Europol and the national law enforcement authorities. In that sense, it is positive that Europol’s data protection regime will be bolstered by aligning it with the requirements of the law enforcement limb of Regulation 2018/1725 – a newer instrument aligned with the GDPR and Directive 2016/680. Questions remain, however, as to whether this will sufficiently guarantee the adequate protection of personal data where blurred responsibilities may lead to a blurred applicability of Regulation 2018/1725 and Directive 2016/680 – concerning data protection standards applicable to the national law enforcement authorities. This question is especially poignant in relation to instances in which Europol performs big data analysis of data collected and further processed by national law enforcement authorities.

 

– New E-Privacy Proposal

The Portuguese Presidency of the Council has circulated a new proposed version of the E-Privacy Regulation. In terms of the novelty of the proposal, three points stand out. First, in terms of structure, the Portuguese Presidency is seeking to simplify the text. Second, in terms of the function of E-Privacy legislation within a broader data protection legal ecosystem, the Portuguese Presidency is seeking to further align the E-Privacy Regulation with the GDPR. Third, in terms of substantive content, the Portuguese Presidency is seeking to make changes to the ways and instances in which communications metadata might be legitimately processed by data controllers: ‘The most important amendment is the possibility to process electronic communications metadata (Article 6c and Recital 17aa) and to use processing and storage capabilities of terminal equipment and the collection of information from end-user’s terminal (Article 8 (1) (g)) for further compatible processing, fully aligned with Articles 5 (1) (b) and 6 (4) of GDPR (further compatible processing).’ It seems likely that this final, substantive, change, will receive push-back from those concerned about rights implications of increased access to communications metadata. In principle, progress on E-Privacy reform – provided this progress takes normatively reasonable shape – is welcome. Whether this new proposed version of the Regulation, however, will fare better than previous versions remains to be seen.

 

– Twitter Decision following Article 65 Procedure

In December 2020, the Irish DPC finally published its decision to fine Twitter for breaches of the GDPR. The fine relates to an investigation into Twitter’s compliance with the Article 33(1) obligation to inform a DPA following a data breach and with the Article 33(5) obligation to document a data breach. The fine has been set at 450,000 EUR. The fine is large and has received some attention in this regard. The fine has perhaps received more attention, however, as the result of the first binding decision based on the GDPR’s Article 65 procedure. As the infringement in question related to more than one jurisdiction, the initial decision of the Irish DPA was subject to objection by other DPAs. Several other DPAs took advantage of this opportunity and, accordingly, triggered the Article 65 process for dispute resolution by the European Data Protection Board. The Board published their decision on 9th November 2020, which was then adopted by the Irish DPC in its final published decision on the case. In the Board’s decision, whilst the majority of the other DPA’ objections were dismissed, objections concerning the insufficiently dissuasive nature of the original fine were upheld and the Irish DPC was required to increase ‘the level of the fine in order to ensure it fulfils its purpose as a corrective measure and meets the requirements of effectiveness, dissuasiveness and proportionality established by Article 83(1) GDPR and taking into account the criteria of Article 83(2) GDPR’.

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply