Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of July
July brought some noteworthy and even historical developments for us to contemplate. One the most significant of these is the landmark case ‘’Schrems II’’, with which the previously used popular arrangement ‘’Privacy Shield’’ for data transfers to US was invalidated, making EU stakeholders to immediately seek new grounds for such transfers. In the meantime, the CJEU sided with Google and Youtube against copyright holders in the battle against internet piracy, and the Dutch DPA issued a hefty fine for obstruction of data subjects’ rights.
Schrems II: EU-US Privacy shield ruled as invalid
On 16 July Court of Justice of the European Union (CJEU) passed down a decision that, among other matters, invalidated the EU-US Privacy Shield, particularly due to the legal system and concerning government surveillance strategies practiced in the US. Notwithstanding this, the ruling validated the Standard Contractual Clauses (SCC’s) with additional requirements when exporting EU citizens’ data to third countries.
The Privacy Shield was relied upon by more than 5000 organisations in the US and even more organizations in the EU. However, this ruling has raised uncertainty for entities that previously relied on these data transfer arrangements, as it brings to a halt the easy access of US entities to personal data in Europe. The bottom line of this ruling is that stakeholders who relied upon the Privacy Shield must terminate such transfers and consider other means, such SCCs, derogations under Article 49 of GDPR or binding corporate rules (BCR).
It is not clearly indicated what the companies that rely on the SCCs should do at the moment to be compliant. Certain data protection authorities, namely, Dutch, Berlin and Hamburg’s authorities have suggested that transfer of personal data to the US should be terminated altogether. However, other data protection authorities, such as the UK’s ICO, have indicated that those who relied upon this mechanism should for now continue to process data as before. Therefore, this matter shall depend on the views of the lead supervisory authority.
Nevertheless, the data exporters shall need to do a case-by-case assessment of the data protection in the data importer’s country, in particular, regarding the level of data protection in the legal system of the country and the level of access to the respective data by the national public authorities.
After the ruling the data protection authorities and government agencies have started to provide clarification and guidance on how to tackle data transfers after this landmark decision. DPA’s and experts advise the controllers and processors in the EU who relied upon the Privacy Shield and SCCs to evaluate and assess the transferable data flow under these mechanisms and legal environment in the destination state, and rethink strategies and methods for future transfers to reduce the data breach risks. It would also be necessary to re-evaluate the data recipients and their ability to follow the legal and contractual requirements in real life.
Court of Justice of the European Union rules that Youtube is not obliged to give out information on pirates
On 9 July the CJEU decided in case initiated by a German court seeking guidance in CJEU that Youtube does not have an obligation to provide emails, IP addresses and phone numbers of users who have illegally uploaded movies on Youtube.
The case began with the German film distribution company Constantin Film Verleih requesting Google and Youtube to provide phone numbers, email and IP addresses of the dishonest users in order to eliminate the illegal distribution of the two films which the company was the right holder of. However, the German company faced refusal from Google and Youtube, and went to the German court. In the German court a dispute took place on the interpretation of address, namely, whether ‘’address’’ would include not only postal address, but also IP and email address. The German court enquired on the matter in CJEU, which decided further in favour of Youtube and Google.
The judges of CJEU were of the opinion that in cases such as these, the right holders may require under the directive on the enforcement of intellectual property rights (Directive 2004/48) and receive from the respective platform operator only the postal address of the infringer.
The court held that considering the lack of deeper definition of ‘’address’’ in the respective directive, there was no reason to expand its meaning beyond what is attributed to this word in everyday language, i.e., postal address. In addition, no legislator’s discussions on expanded definition that could point to expansion of the said meaning took place when the directive was being drafted.
Even though this might come as a letdown to right holders, as the addresses used for registration of users are not always truthful, CJEU did point out that the Member States may ensure that competent judicial authorities may require more information to be disclosed, where a fair balance of copyrights and privacy is ensured in accordance with general principles of EU law.
Dutch data protection authority issues a fine of 830,000 Euro
In July the Dutch Credit Registration Bureau or Stichting Bureau Krediet Registration (BKR) received a fine of 830,000 Eur imposed by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) for violations of Article 12(2) and 12 (5) of GDPR. The case was started based on several complaints from data subjects received regarding the practice that was in place during 2018 and 2019.
At the core of the violations lies the BKR’s practice of having implemented only two mechanisms for data subject access to their personal data that were, in their nature, deterring data subjects from exercising their rights.
Firstly, the data subjects were offered access to the data electronically by subscribing to an annual paid subscription provided by BKR, which would cost individuals from 4.95 Eur up to 12.50 Eur annually. Alternatively, data subjects were offered an unscrupulous option to receive a free copy of their data only once a year by post. Such a request would be required to be accompanied by a copy of a passport and sent by post to BKR.
In the view of the DPA, BKR was not in position to require any kind of payment to access personal data electronically, considering that providing one free option of access to data, in this case by post, did not entitle them to request payment for usage of another type of option. This was accentuated by a notion that GDPR explicitly envisages that the electronically processed personal data should be provided in an electronic format.
BKR strived to justify this practice with Article 12(5a) of GDPR by naming such requests unfounded or excessive, which would enable the controller to charge a reasonable fee, taking into account the administrative costs of providing the information. However, the DPA held a different view, namely, that a request made once a year in the given case is not to be considered as repetitive or excessive in terms of this Article. The chairman of the Dutch DPA commented that it is important that people are able to easily and quickly access their credit registration data considering that a poor credit score can affect one’s ability to obtain a loan or mortgage.
The final word, however, belongs to the court, as BKR has contested the fine.
Matiss Liepins is Compliance Officer at Erremme Business Advisors Ltd and may be contacted on firstname.lastname@example.org