July 9, 2020
06/30/2020 – EDPS | Strategy for 2020-2024
The European Data Protection Supervisor (EDPS), Wojciech Wiewiórowski, published the strategy for 2020-2024 which will focus on Digital Solidarity.
For further information: EDPS Strategy | Summary of the strategy
06/29/2020 – EDPS | Opinion | Artificial Intelligence
The European Data Protection Supervisor (EDPS), Wojciech Wiewiórowski, published his opinion on the European Commission’s White Paper on Artificial Intelligence.
For more information: EDPS Opinion
06/25/2020 – EDPB | Register of decisions | Cooperation procedure
The European Data Protection Board (EDPB) published on its website a register of the decisions taken by national supervisory authorities in accordance with the “one-stop-shop” cooperation procedure provided by Article 60 of the GDPR.
For further information: EDPB Website | EDPB Register
06/24/2020 – European Commission | Report | GDPR
The European Commission published a report on the impact of the GDPR, two years after its entry into force.
The report refers notably to the improvements brought by the GDPR, the application of the consistency and coherence mechanisms and the implementation measures taken so far.
For further information: European Commission Website | Q&A of the European Commission Website
06/16/2020 – EDPB | Publication | Interoperability | Contact tracing apps | COVID-19
The European Data Protection Board (EDPB) adopted a statement on the impact of interoperability of contact tracing applications on data protection.
In this publication, the EDPB provides recommendations in addition to the guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak and mentions in particular the transparency, proportionality and temporary nature of the tools.
For further information: EDPB Website
06/10/2020 – EDPB | TikTok | Working Group
The European Data Protection Board (EDPB) announced the creation of a working group to coordinate potential actions and acquire a more comprehensive overview of TikTok’s practices within the European Union.
For further information: EDPB Website
06/10/2020 – EDPB | Letter | Clearview AI | Biometric data
The European Data Protection Board (EDPB) expressed its concerns regarding certain developments in facial recognition technologies.
The EDPB points out that the use of a service such as Clearview AI by law enforcement authorities in the European Union would, as it stands, likely not be consistent with the EU data protection regulation.
For further information: EDPB Website | EDPB Letter
06/10/2020 – EDPB | Letter | NOYB | Cooperation
The European Data Protection Board (EDPB) published a response to the NOYB Association’s open letter on cooperation between supervisory authorities.
In its letter, the EDPB states that it is working on improving cooperation between supervisory authorities.
For further information: EDPB Website |EDPB Letter
06/03/2020 – EDPB | Publication | Article 23 GDPR
The European Data Protection Board (EDPB) issued a statement on the restrictions on data subjects’ rights in relation to the state of emergency in Member States.
In its publication, the EDPB recalls the principles related to restrictions on the individuals’ rights. In particular, it specifies that a state of emergency adopted in the context of a pandemic is a legal condition which may legitimise restrictions on the rights of data subjects, provided such restrictions only apply insofar as they are strictly necessary and proportionate to safeguard the public health objective. The EDPB also announces that it will issue guidelines on the implementation of Article 23 of the GDPR in the upcoming months.
For further information: EDPB Website | EDPB Publication
06/26/2020 – Belgian Supervisory Authority | Fine | Marketing communications
The Belgian Supervisory Authority imposed a fine of €1,000 on an association that sent direct marketing messages to former donors for fundraising.
The administrative fine was imposed following a complaint lodged with the Belgian Supervisory Authority by a former donor of the association as the latter had not complied with his requests for data erasure and to object to the processing. Considering the criteria of the European case law, the authority considered that the association could not rely on its legitimate interests to send such marketing communications.
For further information: EDPB Website
06/10/2020 – Belgian Supervisory Authority | Fine | Candidate for an election
The Belgian Supervisory Authority imposed a fine of €5,000 on a candidate in a local elections.
The candidate used the staff registry of a municipality to send election propaganda to staff members. The authority considered in particular that the candidate processed the personal data of the municipal staff list in breach of the principles of lawful processing and purpose limitation.
For further information: EDPB Website | Belgian Supervisory Authority Website (French)
06/05/2020 – Belgian Supervisory Authority | Temperature reading | Deconfinement
The Belgian Supervisory Authority published on its website an article dedicated to temperature taking in the context of the fight against COVID-19.
The publication of the authority clarifies the situations in which taking the temperature of individuals falls within the scope of the GDPR as well as the applicable legal basis.
For further information: Belgian Supervisory Authority Website (French)
06/04/2020 – French Supervisory Authority | Employers | Covid-19
On 28 April 2020, the Belgian Supervisory Authority imposed a fine of €50,000 for various GDPR violations, notably for appointing a data protection officer (DPO) with conflicting roles.
In this case, the DPO also acted as the head of audit, risk and compliance, and considering various facts (e.g., conflicting duties, lack of a policy to prevent conflicts of interest), the authority considered that the DPO was not in a position sufficiently protected from a conflict of interests. The authority also considered that the DPO was not sufficiently involved in discussions regarding personal data breaches.
For further information: Belgian Supervisory Authority Website (French)
06/12/2020 – Czech Supervisory Authority | Data breach | Report
The Czech Supervisory Authority announced that it received more than 100 data breach notifications between January and May 2020.
The main sectors affected by these breaches are finance, health and public administration. “Phishing” attacks were the most frequent.
For further information: IAPP Website | Czech Supervisory Authority Website (Czech)
06/04/2020 – Finnish Supervisory Authority | Fine
The Finnish Data Protection Authority imposed a penalty of €72,000 on the company Taksi Helsinki Oy.
The authority notably found that the company implemented a video-surveillance system recording audio and video in its taxis without first carrying out a privacy impact assessment required by the GDPR. Also, the company did not comply with its obligation of information.
For further information: EDPB Website
06/19/2020 – French Administrative Supreme Court | Google
The French Administrative Supreme Court (“Conseil d’Etat”) dismissed Google LLC’s appeal against the decision of the French Supervisory Authority (CNIL) of January 21, 2019, imposing a fine of 50 million euros on Google LLC.
This fine is, to date, the highest fine issued under the GDPR in the European Union. The decision is now final with no further possibility of appeal before French courts.
For further information: CNIL Website | French Administrative Supreme Court Website (French)
06/19/2020 – French Administrative Supreme Court | Guidelines on cookies and other trackers
The French Administrative Supreme Court (“Conseil d’Etat”) issued a decision concerning the guidelines on cookies and other trackers adopted by the French Supervisory Authority (CNIL) on July 4, 2019.
The French Administrative Supreme Court validated most of the CNIL’s guidelines, except for the prohibition related to “cookie walls”. The French Administrative Supreme Court stated that such prohibition stated in the CNIL’s guidelines goes beyond what is legally possible under guidelines, which are an instrument of “soft law”. Further to such decision, the CNIL specified that it will update its guidelines and will also specify practical methods to collect consent, after September 2020 according to a schedule which remains to be defined.
For further information: CNIL Website | French Administrative Supreme Court Website (French)
06/17/2020 – French Supervisory Authority | Recommendation | Smart and thermal cameras | COVID-19
The French Supervisory Authority (CNIL) published on its website recommendations related to the use of so-called smart and thermal cameras by public and private actors, in particular to facilitate the management of the health crisis and the deconfinement period.
In a first publication, the CNIL calls for vigilance regarding these devices, stressing that, subject to a case-by-case analysis, it appears to the CNIL that most of these devices do not comply with the applicable legal framework. In a second publication, the CNIL specifies the rules applicable to the implementation of these technologies, in particular the guarantees that these devices must provide under the GDPR.
For further information: CNIL Website |CNIL Website (French)
06/09/2020 – French Supervisory Authority | Activity Report 2019
The French Supervisory Authority (CNIL) published on its website its activity report for 2019, which presents its monitoring and enforcement activities, its participation in the European cooperation and the challenges for 2020.
In 2019, the CNIL reported that it carried out 300 investigations (including 169 on-site investigations), imposed 8 sanctions (including 7 fines), issued 42 formal notices (including 2 public notices) and received 14,137 complaints (which is an increase of 27% compared to 2018) as well as 2,287 notifications of personal data breaches. The 2020 challenges focus on cookies and the state of health emergency.
For further information: CNIL Website (French)
06/05/2020 – French Supervisory Authority | StopCovid Application
The French Supervisory Authority (CNIL) published on its website explanations on the StopCovid mobile application to allow a better understanding of the opinions and recommendations regarding the implementation of this application.
In its publication, the CNIL discusses in particular the following concepts: anonymization, access to the data collected, the role of the CNIL and users’ rights.
For further information: CNIL Website (French)
06/30/2020 – Baden-Württemberg Supervisory Authority | Fine
The IAPP website reports that the Baden-Württemberg Supervisory Authority issued a 1,24 million euro fine against a health insurance company for violations of the GDPR.
The health insurance company sought to use the personal data of individuals who gave their consent to several sweepstakes for advertising purposes. The Baden-Württemberg Supervisory Authority found 500 individuals actually had their personal data processed without their consent.
For further information: IAPP Website
06/17/2020 – Federal Commissioner for Data Protection and Freedom of Information (BfDI) | Report
The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Professor Ulrich Kelber, presented the 28th activity report on data protection and the 7th activity report on freedom of information to the President of the German Bundestag.
The BfDI generally draws a positive balance of the GDPR but still sees further potential for improvement. In his 7th activity report on freedom of information, the BfDI provides information about his activities and significant topics with regard to governmental transparency and indicates that he believes that the German Freedom of Information Act (IFG) requires considerable modernisation. An English version of the report is expected to be published on this site early July.
For further information: BfDI Website
06/16/2020 – German Data Protection Conference (DSK) | Guidance | Corona Application
The German Data Protection Conference (Datenschutzkonferenz – DSK) published guidance on the German Corona app.
The DSK acknowledged the design of the Corona application offered by the German Robert Koch Institute (data protection by design) and its voluntary use concept but stresses that the principle of voluntary use must not be undermined by other use cases. In particular, access to public buildings, office space, stores, restaurants, hotels, recreation sites etc. must not be made dependent on an entrant showing the application on his / her cell phone. A discrimination of users opting not to use the application must be avoided.
For further information: DSK Website (German)
06/03/2020 – Data Protection Authority of Bavaria (BayLDA) | Guidance | Best Practice Checklist for healthcare institutions to prevent cyber-attacks
The Data Protection Authority of Bavaria (BayLDA) published best practice checklists for healthcare institutions to prevent cyber-attacks.
The BayLDA had recently started to publish best practice guidelines on important data protection topics. In May 2020, best practice checklists for home office environments were the first of the BayLDA’s publications of that nature. These have now been followed by the above mentioned best practice checklists for healthcare institutions to prevent cyber-attacks which aim at the protection of sensitive health and patient data but also generally the healthcare infrastructure as a whole – in particular in times of Covid-19.
For further information: BayLDA Website (German)
06/26/2020 – Irish Supervisory Authority | Guidance | Return to Work Safely Protocol
The Irish Supervisory Authority (DPC) published a guidance on the implementation of the Return to Work Safely Protocol.
The purpose of this guidance is to help employers on the implementation of the Protocol in a manner that complies with their obligations under the GDPR and the Irish Data Protection Act.
For further information: DPC Guidance | DPC Website
06/04/2020 – Irish Supervisory Authority | Report
The Irish Supervisory Authority (DPC) published a report on its regulatory activities conducted under the GDPR.
The report sets out the number of cases received by the authority, as well as the topics covered by these cases. In addition, the report highlights the decisions taken by the authority and the list and status of investigations against multinational technology companies.
For further information: DPC Report | IAPP Website
06/23/2020 – Italian Supervisory Authority | Annual Report 2019
The Italian Supervisory Authority published its 2019 annual report.
In this report, the authority presents the main actions and sanctions implemented in 2019.
For further information: IAPP Website | Italian Supervisory Authority Report (Italian)
06/09/2020 – Spanish Supervisory Authority | Fines
The Spanish Supervisory Authority has imposed several fines, including three under the GDPR.
Equifax Iberica was fined €75,000 for failing to delete the information of a data subject. The authority also imposed a fine of €39,000 on Xfera Moviles for failure to comply with Article 5(1)(f) of the GDPR regarding security. In addition, the authority sanctioned Glovoapp23 for failing to appoint a data protection officer for an amount of €25,000.
Finally, the authority fined the company Twitter €30,000 for violating the legislation on cookies.
For further information: IAPP Website
06/09/2020 – Spanish Supervisory Authority | Tool | Entrepreneurial assistance
The Spanish Supervisory Authority announced the launch of a tool to help entrepreneurs complying with the GDPR.
The tool is based on a questionnaire that generates compliance documentation, such as privacy policies, cookie policies and contractual clauses.
For further information: Spanish Supervisory Authority Website (Spanish)
06/19/2020 – Swedish Supervisory Authority | Fine | Video surveillance
The Swedish Supervisory Authority has imposed a fine of approximately €2,000 on an association for implementing a video surveillance system at the entrance of a building which also recorded audio data.
The authority notably considered that the association did not properly inform the residents about the implementation of the video surveillance and ordered to remove such system.
For further information: EDPB Website
07/02/2020 – UK Supervisory Authority | COVID-19 | Contact Tracing
The UK Supervisory Authority (ICO) published initial guidance for businesses asked to record and maintain personal data of customers, staff and visitors in support of the test and trace scheme.
For further information: ICO Guidance | Government Guidance
07/01/2020 – UK Antitrust Authority | Online platforms and digital advertising | Market Study | Statement of UK Supervisory Authority
On 1 July 2020, the UK’s Competition & Markets Authority (CMA) published the final report of its market study into online platforms and digital advertising, finding that competition is not working well in these markets, leading to substantial harm for consumers and society as a whole.
The CMA recommends that the UK government pass legislation to establish a new pro-competitive regulatory regime in these areas. The ICO noted in response to the CMA’s Market Study that “As data becomes ever more central to business models, the interaction between data protection and competition regulation increases. … Giving people control over what happens to their personal data is central to data protection law in the UK and is also a vital element of consumer protection. Our joint engagement will bring benefits to businesses and consumers alike. We look forward to working with the CMA and [UK communications regulator] Ofcom through the Digital Regulation Cooperation Forum and the Digital Markets Taskforce, by contributing our expertise in data protection and e-privacy regulation to these important initiatives.”
To this end, the ICO, CMA and Ofcom have established a new forum, Digital Regulation Cooperation Forum, to help ensure online services work well for consumers and businesses in the UK, strengthen existing collaboration and coordination between the three regulators and harness their collective expertise regarding the interaction between data, privacy, competition, communications and content.
For further information: ICO Website | CMA Website | Ofcom Website
06/12/2020 – UK Supervisory Authority | COVID-19 | Data Protection Advice
The UK Supervisory Authority (ICO) published on its website data protection advice for organisations in the context of the deconfinement.
In particular, the authority provides guidance on the implementation of tests and the monitoring of employees. The authority also presents its regulatory approach during the current health crisis.
For further information:ICO Website
06/11/2020 – UK Supervisory Authority | Age Appropriate Design | Draft legislation
The UK government has laid its Age Appropriate Design Code, also known as the Children’s Code, before the UK Parliament.
The Code sets out 15 standards that online services should meet to protect children’s privacy online. The ICO’s statement on the Code commends the “huge step towards protecting children online especially given the increased reliance on online services at home during COVID-19”. The ICO intends to develop a package of support to help businesses implement the Code.
For further information: ICO Website
06/05/2020 – ePrivacy | Draft regulation | Status
The IAPP website reports that the Council of the European Union published on 29 May 2020 a report on the status of the latest draft ePrivacy Regulation.
For further information: Council of the European Union |IAPP Website
This newsletter has been prepared by the EU Privacy team of Gibson Dunn.
For further information, you may contact us by email:
© 2020 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.