See below for the latest Data Blast from our legal team: campaigning risks, Meta’s security measure issue, UK signals marketers will be punished, trans-Atlantic progress on data sharing, and lessons from Germany & Holland on data right limits…
Data Issues in Campaigning
In February, the Hungarian DPA fined an organisation for failing to inform the signatories to a campaign for compulsory vaccination how their data would be used. The organisation failed to get the consent from the data subjects to the use of their data. The DPA fined the organisation and its chair and said that if the organisation did not get the valid consent of the data subjects, it would have to delete the relevant data.
In March, the Belgian DPA found that a municipality was entitled to send emails to data subjects who had registered their email addresses for a campaign as volunteers to help distribute filtering face masks. The DPA found that the data controller had only used the data provided (i.e. the email address) for a valid purpose – i.e. the campaign in question. The DPA found that the processing was in the public interest, given the nature of the campaign in question, especially as the data subjects had themselves provided the data in question.
Security Must Be Seen to be Believed – Irish DPC fines Meta
The Irish DPC fined Meta Platforms (formally Facebook Ireland Limited) EUR 17m for failing to have in place appropriate technical and organisational measures which would enable it readily to demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of twelve personal data breaches at issue. There does not appear to have been a question as to whether Meta actually had the security in place during the relevant time period, but the issue was that it was unable to adequately prove that it had such.
This was a decision of the Irish DPC but because there was a cross-border element to the processing, the DPC added every other EU supervisory authority across every Member State as co-decision-makers, and so, after a consensus was reached with all the EU supervisory authorities, the DPC’s decision represents the collective view of every EU supervisory authority.
The DPC has also published a statistical report on the handling of cross-border complaints under GDPR’s One-Stop-Shop (‘OSS’), which can be found here. The OSS allows multinational companies engaging with cross-border processing within the EU to deal with a single lead supervisory authority for most of their processing activities.
UK ICO Makes Example of Predatory Marketers
The ICO has fined five companies a total of £405,000 for making over 750,000 unwanted marketing calls to older and vulnerable individuals. The ICO started its investigation on the back of complaints from the public and information from partner organisations such as Action Fraud, Trading Standard, Which? and the call blocker provider trueCall.
The Information Commissioner, John Edwards, said
‘This is unacceptable and clearly exploitative. It is only right that we take tough and prompt action to punish those companies responsible using our full powers. Companies making similar nuisance calls and causing harm to people can expect a strong response from my office. I encourage anyone who is being pestered by other rogue operators, or knows a family member or friend who is, to report them to the ICO and we will step in to protect the public from these invasive calls.’
EU and US Agree Data Transfer Regime in Principle
Since the decision in Schrems in July 2020, which struck down the EU-US Privacy Shield, there has been considerable legal uncertainty for cloud services operating on a transatlantic basis. However, this could potentially be at an end, with the EU announcing reaching an agreement in principle with the US for transatlantic data flows. It is not clear how the two parties managed to bridge the gap between two very differently oriented systems. This means that little can be taken from the EU announcement until the full detail is presented. According to the European Commission press release:
‘The new Framework marks an unprecedented commitment on the U.S. side to implement reforms that will strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities.’
The key principles of the Trans-Atlantic Data Privacy Framework can be found here.
Mr. Schrems appears to be already planning a challenge to the new regime as he does not feel that the US will change its domestic approach to data. He tweeted: ‘Seems we do another Privacy Shield especially in one respect: Politics over law and fundamental rights’ and ‘This failed twice before. What we heard is another ‘patchwork’ approach but no substantial reform on the US side. Let’s wait for a text but my bet is it will fail again.’
German Supreme Court comments balances data subjects’ rights against informants’
The German Supreme Court (BGH) refused to compel a landlord to provide the name of the neighbour who complained about a tenant’s use of their flat, causing strong odours and vermin in the stairwell. The BGH stated that the rights of the data subject had to be balanced against the rights of the informant. However, the BGH noted that if the allegation was incorrect, it could not be assumed that the rights of the informant would be impaired by the landlord answering the information request. In that case it would be necessary for the data subject to receive the information to assert possible rights against the informant. The BGH said that the interest in secrecy of the informant must regularly take second place to the interest to access the information, if the informant has provided incorrect information on the personal data of the data subject, whether deliberately or recklessly.
Dutch Court of Appeal upholds professional confidentially obligations
The Court of Appeal of The Hague found that a law firm could restrict the information provided to data subjects in order to comply with professional obligations of confidentiality. The professional confidentiality obligations under Dutch law are set out in the Dutch Lawyer’s Act. This is a legislative measure that serves one of the objectives of Art. 23(1)(i) of the GDPR. The Court of first instance (with which the Court of Appeal agreed) stated that ‘compliance with the obligation of secrecy by the legal profession is a basic condition for the functioning of the rule of law’. Therefore the data subject’s right of access can be restricted under Art. 23 of the GDPR, as such is necessary is to respect the principles of necessity, proportionality, and subsidiarity.