Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of October

Data Protection Developments within the European Union

The General Data Protection Regulation has proved to subsist the test of time, through the regular developments which still persist regularly, even a year and a half after the General Data Protection Regulation has become enforceable. In fact, October saw a balance of judgements, GDPR Fines as well as breach notifications. Amongst these, one may note the CJEU Landmark judgement which is expected to rise to the forefront of interpretational instruments applied to data protection laws as well as digital data laws. There was also publication of the first two guidelines by the European Data Protection Board.  Apart from this, we even note a number of substantial fines, with the highest this month amounting to approximately 18 million Euros.

Cookie Laws – a Decisive CJEU Landmark Judgement

On the first of October, the Court of Justice of the European Union (CJEU), occupying the topmost judicial status within the European Union, issued a decisive landmark judgement. This is deemed prospectively imperative to interpretation of the  General Data Protection Regulation provisions related to consent and its application in use of Cookie Laws. This case emerged after the German Federation of Consumer Organisations put forward a judicial protest against Planet49, a German company, in objection to the use of pre-checked boxes in online promotional games. In this case, consent was demanded for the use of the service, even if data collected was not required for necessary processing but for advertisement.

The German court instigated the European Union’s preliminary ruling mechanism for further clarification on interpreting General Data Protection Regulation in electronic communications. In giving preliminary reference, the CJEU determines the common application and interpretation which is to be followed in the domestic court for adjudication. The CJEU analysed the legal vocabulary utilised in Article 5(3) of the ePrivacy Directive, translating this to demand a positive action on part of the subject who by act, and not omission, expresses consent. This is because of wording implying that passive acts are not deemed to be sufficiently autonomous for check-box consent. Therefore, approaches demanding activity to exclude consent rather than to provide consent is not compliant to the General Data Protection Regulation since the act must assert a will, constituting consent, rather than a lack of consent.

This judgement has also gathered interest since it interpreted Cookies as being material subjects of General Data Protection Regulation and similar instruments, regardless of whether they constitute personal data. This is because, as corroborated by Article 29 Working Party, cookies are interconnected with the personal life of an individual and therefore need not constitute personal data directly for legal protection, this being the underlying feature of ePrivacy principles. The judgement also entails guidelines on transparency, demanding that website operators inform users about the cookie retention period and any third parties having access to the data.

European Data Protection Board – New Guidelines on the Legal Bases for Lawful Processing of Personal Data

Whilst the CJEU has contributed to the interpretation of GDPR scenarios through the preliminary reference procedure, the European Data Protection Board has also added to the body of interpretative tools through the publication of two separate GDPR guidelines.

The first targets the processing of personal data through surveillance technology and similar devices. Whilst published, this is not yet finalized due to the pending public consultation. Whilst not legally binding, such GDPR guidelines still hold importance as they seek to clarify the functioning and application of the General Data Protection Regulation.  For instance, some of the clarifications set out by this GDPR guideline include the limitation of the exception of General Data Protection Regulation applicability in household or personal activity. This has been expressed as to only include private and family activities of the person. The GDPR guideline also establishes specifications on the use of legal bases and legitimate interest in surveillance technology.

 The second published GDPR guideline, has been published in its finality. This regards the necessity of data processing in contractual or pre contractual scenarios of online contracts. It applies to all online services given through electronic means, whether against payment or not. The guideline establishes the criteria of objectivity, meaning whether the processing is objectively required to the contract at hand. The idea of ‘necessity’ has to be strictly applied, in fact it should be deemed absent where other plausible and less intrusive means are available. Moreover, the guidelines also reject any disclaimers or terms which alter the General Data Protection Regulation’s provisions, whether by way of expansion or derogation.

Healthcare and Data Protection – Data Attack Targeting NHS Pagers Exposes Medical Data

As alluded to in earlier articles, the healthcare industry is a more critical sector of application for the General Data Protection Regulation due to the categorisation of medical data as a more sensitive quality of data. In October, a security researcher exposed an amateur radio rig which livestreamed and published real-time medical data on the internet. This was made possible through the interception of radio wave frequencies used in the pager technology, which allowed the rig to decode the information to written format. The online publication of the medical data was executed through the use of an unprotected internet connected webcam visualizing all results showing on the monitor of the rig. This exposed the name, address and injury of individuals. This breach enables discussion on the appropriate use of such technologies, leading one to argue whether NHS Trust could have prevented such a leak through use of encryption rather than coding. Whilst the use of pagers has already passed through substantial phasing out periods, with 2021 being the target for extinguishing use, there are several NHS Trust branches across the United Kingdom with a substantial amount of operating pagers.  

Austrian Data Protection Authority – Austrian Post liable for an 18 Million Euro Administrative Fine

Throughout October, news emerged of a substantial 18 million Euro GDPR fine imposed by the Austrian Data Protection Authority on Österreichische Post AG – the Austrian national postal services. The Austrian Data Protection Authority held them accountable for processing personal data related to the political affinity of data subjects. The Austrian Post conducted statistical analysis on their clients as to determine individuals’ probability of particular political affiliation, depending on territorial and age demographics, being beyond the legal processing enabled by the General Data Protection Regulation. The findings were used for direct marketing purposes of indirectly collected personal data, falling within the special category of data. Another violation recognized was the illegal sale of personal data for the purpose of direct marketing, namely being that related to the frequency of postal deliveries and relocations. This was adjudicated on the basis of further processing, due to not being reasonably foreseen to individuals. The fine’s extent reflects the impeachable intent of the Austrian Post in conducting such evidently illegal acts. Whilst culpability has so far been established in the oral hearings undertaken by the Austrian Data Protection Authority, an appeal is expected within the coming weeks.

Berlin Data Protection Authority – 14.5 Million Euro Fine Imposed for Improper Application of Data Minimisation Principle.

Deutsche Wohnen, a German real estate group, have been charged with the highest recorded German GDPR fine after two separate inspections by the Berlin Data Protection Authority exposed that a vast amount of data was still being retained with the possibility of processing even though the legal time limit proportionate to business necessity had been exceeded. Impacted data included employment contracts, financial data as well as social and health insurance data. This is in violation of the General Data Protection Regulation since not only did the company store data for longer than legally allowed, but the archiving system used did not allow individual’s data to be removed from the digital archived. Whilst this facilitates accuracy of audits by not allowing modification to original data stored, it imposes a breach of the General Data Protection Regulation and the constituent necessity of Lawful Processing Principles.  The ambitious Maja Smoltczyk, the responsible Data Protection Commissioner, is expected to face court appeal since both the general expert opinion and the defendant view the fine as too extensive.

Data Protection Enforcement on Tech Giants

Facebook’s Data Protection Saga Continues – UK Information Commissioner’s Office to Collect the 500,000 Euro Cambridge Analytica Fine

The Cambridge Analytica Scandal is still at the forefront of the Data Protection sphere.  Whilst in recent months many have alleged additional Data Protection and GDPR breaches persisting even beyond the scandal, October saw a direct development to the Cambridge Analytica Case. Facebook still denies liability for the alleged scandal. However,an agreement between the British Information Commissioner’s Office and the tech giant on payment of the half a million Euro fine has been reached. The 500,000 Euro fine was the highest which could have possibly been imposed pre-GDPR, which although contextually minor for the tech giant, is significant in principle. Through Facebook’s withdrawal of appeal, this agreement has ended a stalemate of appeals which had stagnated the court proceedings. This is being deemed as a new path of collaboration for the future of Facebook and its constituent data protection treatment.

For more information on the General Data Protection Regulation
Get in touch with us

📧 ybusuttil@easl.com.mt

Share this post?

Get in
Touch

+356 2166 1273