January 11, 2021
12/24/2020 – EU-UK Trade And Cooperation Agreement | Brexit | Data flows
The European Union and the United Kingdom have reached an agreement for a draft EU-UK Trade and Cooperation Agreement (FTA), which allows personal data to flow freely from the EU (and EEA) to the UK, until adequacy decisions have been adopted, for no more than six months.
The UK supervisory authority welcomed the FTA but recommended businesses to put in place alternative transfer mechanisms to safeguard against any interruption to the free flow of EU to UK personal data.
The French Supervisory Authority has specified that the “one-stop shop” will no longer be applicable in the United Kingdom as of 1 January 2021.
For further information: EU-UK Trade and Cooperation Agreement; ICO Website; CNIL Website (in French)
12/17/2020 – European Commission | Competition | Acquisition of Fitbit by Google
The European Commission announced that it had cleared the acquisition of Fitbit by Google, subject to conditions, with regards to Google’s commitment that it will not use for Google Ads, the health and wellness data collected from Fitbit users in the EU.
For further information: Commission Website
12/15/2020 – European Commission | Final proposals | Digital Services Act and Digital Markets Act
The European Commission published its final proposals for Digital Services Act and Digital Markets Act which aim to regulate digital platforms.
The European Parliament and the Member States will discuss the Commission’s proposals and, if these proposals are adopted, they will be directly applicable across the EU.
For further information: Commission Website
12/15/2020 – European Data Protection Board | Guidelines | Restriction of data subject rights
The European Data Protection Board (EDPB) adopted its Guidelines 10/2020 on restrictions under Article 23 GDPR.
The Guidelines address the grounds for restricting data subjects’ rights, including for national security and public defence and for objectives of general public interest. They are open for consultation until 12 February 2021.
For further information: EDPB Website
12/15/2020 – European Data Protection Board | Strategy 2021-2023
The European Data Protection Board (EDPB) adopted its Strategy 2021-2023.
The EDPB’s strategic objectives are gathered around four pillars: (i) advancing harmonisation and facilitating compliance; (ii) supporting effective enforcement and efficient cooperation between national supervisory authorities; (iii) a fundamental rights approach to new technologies; and (iv) the global dimension.
For further information: EDPB Website
12/15/2020 – European Data Protection Board | Guidelines | Interplay between the PSD2 and the GDPR
The European Data Protection Board (EDPB) adopted its final version of the Guidelines 06/2020 on the interplay between the second Payment Services Directive (PSD2) and the GDPR following a public consultation.
The Guidelines aim to provide further guidance on data protection aspects in the context of the PSD2, in particular on the relationship between relevant provisions on the GDPR and the PSD2.
For further information: EDPB Website
12/15/2020 – European Data Protection Board | Statement | Relationship of anti-money laundering and counter-terrorist financing measures with data protection requirements
The European Data Protection Board (EDPB) published a statement on data processing in the context of anti-money laundering and counter-terrorist financing (AML/CFT) measures.
In particular, the EDPB stressed that a review of the relationship between AML measures and data protection is required before updating the AML framework.
For further information: EDPB Website
12/17/2020 – French Supervisory Authority | Sanction | Doctors
The French Supervisory Authority (CNIL) fined two doctors €3,000 and €6,000 for failing to adequately protect their patients’ personal data and failing to notify a data breach to the CNIL.
For further information: CNIL Website (in French)
12/11/2020 – French Supervisory Authority | Opinion | Public security decrees
The French Supervisory Authority published its opinion on three security decrees PASP, GIPASP, and EASP.
For further information: CNIL Website
12/10/2020 – French Supervisory Authority | Sanction | Cookies
The French Supervisory Authority (CNIL) fined two US tech companies €100M and €35M for cookie violations.
The CNIL observed that when a user visited the companies’ website, advertising cookies were automatically placed on his/her computer, without any action required on his/her part. Moreover, the information provided on cookies was neither clear, nor complete.
The authority noted that the amount of the fines and the decision to make them public were justified by the seriousness of the breaches observed.
For further information: CNIL Website; CNIL Website
12/16/2020 – Federal Government | Draft bill | IT Security Act 2.0
The Federal Government has adopted a draft bill for an “IT Security Act 2.0”, which aims at strengthening data and cybersecurity in Germany.
The draft bill contains provisions regarding, inter alia, increased powers for the Federal Office for Information Security (BSI), consumer protection in the digital world and new obligations for operators of critical infrastructure, such as electricity and gas providers.
For further information: Website of the Federal Government (in German)
12/11/2020 – Federal Constitutional Court | Ruling | “Data mining”
In an order published on December 11, 2020, the Federal Constitutional Court in Karlsruhe held that “data mining” pursuant to the German Counter-Terrorism Database Act is in part unconstitutional.
The German Counter-Terrorism Database Act contains provisions, which allow national security authorities to engage in extended use (“data mining”) of data stored in the counter-terrorism database established by the Act. Thereby, this provision enables the direct use of the counter-terrorism database to generate new intelligence from the data contained in the database.
The Court decided that parts of the respective provisions did not set out clear and sufficient thresholds for national security authorities carrying out such “data mining” measures, which means that those parts of the provisions are incompatible with German constitutional law and thus void.
For further information: Federal Constitutional Court Website
12/09/2020 – Irish Supervisory Authority | Sanction | Data Breach
The Irish Supervisory Authority (DPC) fined Twitter International Company €450 000 concerning its 2019 data breach.
As a reminder, following a dispute between supervisory authorities about the DPC’s draft decision, the European Data Protection Board (EDPB) adopted its first binding decision in accordance with the dispute resolution process under Article 65 of the GDPR (Decision 1/2020, under Article 65(1)(a), adopted by the EDPB on 9 November 2020). Consequently, the DPC was required to adopt its final decision in this case on the basis of the EDPB Decision.
For further information: DPC Website
12/23/2020 – Italian Supervisory Authority | e-portal | Data breach notification
The Italian Supervisory Authority launched an e-portal to support data controllers in the formalities required in the event of a data breach.
The tool includes a notification model and a self-assessment procedure.
For further information: Garante Website (in Italian)
12/22/2020 – Italian Supervisory Authority | Proceedings | TikTok
The Italian Supervisory Authority (Garante) initiated proceedings against TikTok, Inc. alleging risks which the social network would pose to children’s privacy.
The investigation launched by the Garante in March of this year highlighted a series of alleged breaches, noting inter alia that children under the age of 13 may easily use a false date of birth to create an account, that the information is standardized when it would be necessary to create a special section dedicated to children written in a simpler language, and that information on data transfers to non-EU countries lacks clarity. TikTok now has 30 days to submit its defense.
For further information: Garante Website
12/18/2020 – Italian Supervisory Authority | Guidance | Right of access
The Italian Supervisory Authority published guidance on the right of access.
For further information: Garante Website (in Italian)
12/05/2020 – Italian Supervisory Authority | FAQs | Videosurveillance
The Italian Supervisory Authority published its FAQs on videosurveillance.
For further information: Garante Website
12/15/2020 – Dutch Supervisory Authority | Warning | Use of facial recognition
The Dutch Supervisory Authority issued a warning against a supermarket for its use of facial recognition in 2019.
For further information: AP Website (in Dutch)
12/21/2020 – Norwegian Supervisory Authority | Launch | Coronavirus app
The Norwegian Supervisory Authority (Datatilsynet) announced the launch of a new Coronavirus app.
The Datatilsynet noted that contrary to the previous version of the app, the current version complies with data protection requirements.
For further information: Datatilsynet Website (in Norwegian)
12/14/2020 – Polish Supervisory Authority | Sanction | Security
The Polish Supervisory Authority fined a telecommunications operator PLN 1.9 million (approx. €420,000), for failing to carry out regular and comprehensive evaluation tests of its technical and organisational security measures.
For further information: UODO Website
12/17/2020 – Romanian Supervisory Authority | Sanction | Security
The Romanian Supervisory Authority (ANSPDCP) fined a bank RON 487,380 (approx. €100,000) for inadequate security measures.
The ANSPDCP found that personal data had been posted on two websites.
For further information: ANSPDCP Website
12/12/2020 – Spanish Supervisory Authority | Sanction | Information and consent
The Spanish Supervisory Authority (AEPD) fined a bank €5M for violations of the right to information and lack of valid consent.
In particular, the AEPD highlights that the bank used imprecise terminology to define the privacy policy, and provided insufficient information. Moreover, the bank failed to obtain consent before sending promotional SMS and did not implement a specific mechanism for consent to be obtained by customers and account managers.
For further information: AEPD Website (in Spanish)
12/03/2020 – Swedish Supervisory Authority | Sanction | Healthcare providers
The Swedish Supervisory Authority announced that it had imposed fines on seven healthcare providers of up to SEK 30 million (approx. €3 million) for deficiencies in how they control staff access to patient data.
For further information: Datainspektionen Website
12/18/2020 – UK Supervisory Authority | Blog post | Use of algorithms for employment decisions
The UK Supervisory Authority published a blog post on the use of algorithms and automated decision-making in the employment context.
For further information: ICO Website
12/17/2020 – UK Supervisory Authority | Code of practice | Data sharing
The UK Supervisory Authority published a new Data Sharing Code of Practice, aiming to provide practical advice to businesses on how to carry out responsible data sharing.
The Code will now be laid before Parliament before it comes into effect.
For further information: ICO Website
12/09/2020 – UK Supervisory Authority | Sanction | Marketing calls
The UK Supervisory Authority fined a company £45,000 for making 39,000 marketing calls relating to pension schemes, using data scraped from LinkedIn contact lists.
For further information: ICO Website
12/04/2020 – UK Supervisory Authority | Sanction | Marketing texts
The UK Supervisory Authority fined a mortgage broker £50,000 for sending 174,342 nuisance marketing texts.
For further information: ICO Website
12/22/2020 – NOYB | Comments | Supplementary measures
The association NOYB issued comments on the EDPB’s supplementary measures, in the context of the public consultation on the Guidelines.
For further information: NOYB Website
This newsletter has been prepared by the European Privacy team of Gibson Dunn. For further information, you may contact us by email:
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.