Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of October
This October was not without possibly far-reaching developments, as online ad and publishing industry began to wage a battle against Apple, and the CJEU ruled against mass surveillance of phone and internet data. In the meantime, EDPB published new guidelines with increasingly significant importance, while the European Parliament moves forward towards updating legislation concerning the European digital environment.
Ad and publishing industry files an anti-trust claim in France against Apple’s new privacy settings
In June Apple had announced that it will take on some new changes in their privacy controls of mobile operating software that would restrict ad trackers and make apps to collect opt-in consent to place identifiers that are necessary for targeting of ads. Apple customers already had the possibility to block tracking by adjusting their device settings, however, these changes would make it easier for the individual by providing a pop-up notice that enables users to block the trackers whenever an app is downloaded or updated.
Such plans caused uproar from a wide range of internet businesses, including, publishers, social media platforms, app developers and ad tech companies. While Apple claims that at the core of its planned changes to the privacy controls lies the respect for the human rights of its users, the groups involved in the matter are not convinced, claiming that Apple is merely hiding behind the data protection rhetoric to increase its revenue by forcing advertisers into subscribing with Apple thereby, sharing a part of revenue from their sales.
The industry representatives, particularly, Interactive Advertising Bureau France, which includes representatives of social media platforms such as LinkedIn, Google and Facebook, among others, claimed that such controls will have devastating effects as few users would provide consent. As stated, this would mean that ad companies would have difficulties to track and target potential customers. Additionally, content providers would struggle to make personalized ad sales, as such practice would give Apple an unfair advantage in online app marketplace and App Store. For this reason the claimants requested the French competition authority to stop Apple from changing iOS14 next year until investigations in Apple’s business practices are carried out.
CJEU rules that Member States must curb mass surveillance of phone and internet
In October, the Court of Justice of the European Union ruled that data protection legislation across the European Union must place strict controls on the data surveillance carried out by national governments and espionage organisations by forbidding the mass collection of mobile and internet data of individuals.
The root of the issue was the increase in surveillance activity in France, Belgium and UK, that was sparked by the growing numbers of terrorist attacks in these countries. The issue was brought before the court due several complaints made by Privacy International and La Quadrature du Net.
The court ruled that the practice of having internet and phone operators to transmit and retain indiscriminately the traffic and location data for mass surveillance purposes is not acceptable under EU law.
The Court did, however, point out that surveillance of the said data may be undertaken where a genuine and serious national security threat is present and surveillance is justifiable for the purpose. The retention of so gathered data, as the court ruled, should be kept only for as long as strictly necessary, and that the data may be kept for extended periods only to extent the national security threat persists. The collection should also be done on an individual basis, instead of mass collection.
However, when derogations are applied, the government must provide for effective safeguards to ensure respect of the fundamental rights. Furthermore, any derogation should be assessed in court or other competent authorities.
European Parliament proceeds towards the Digital Service Act
The Digital Service Act was originally announced in 2019 by the European Commission with the purpose of updating the outdated legislation, strengthening the European Single Market, promoting innovation and competition for the benefit of consumer choice. In October 2020 European Parliament took the next steps by approving a set of two legislative initiative reports or the Digital Service Act package that aims to introduce measures to combat the issues surrounding the online environment. The full package is expected to be presented in December 2020.
At the heart of the contemplated Digital Service Act are four initiatives that are designed to bring increased online security. The first one is the initiative to ensure that third-country service providers abide by any European Union rules that may be established in the near future. Secondly, the initiative envisages more stringent rules for targeted ads and increased ability of users to control the content they receive online by reducing the reliance on algorithms. The third initiative addresses the consumer protection from unsafe, illegal or counterfeit products sold online. And lastly, the fourth initiative aims to establish new rules to curb the powers of large platforms that hold the role of gatekeepers of online markets (such as Google and Facebook) by setting the rules for market access and consumer choice.
Among the proposals of the Members of European Parliament, is the binding notification arrangement that enables users to report online intermediaries on suspected illegal content and activities. As envisaged, the said online intermediaries upon receiving such a notification would be in a better position to provide a swift response, while being more transparent in their actions in the mitigation of undesired content. In order to achieve this, Parliament proposed that the terms ‘’harmful content’’ and ‘’illegal content’’ is strictly differentiated.
Furthermore, Parliament emphasized the need to implement the consumer protection and user safety principle, as well as the adage like principle ‘’what is illegal offline is also illegal online’’ as the guiding principles of the Digital Service Act. It went further to propose a new principle ‘’Know Your Business Customer’’ that implies the requirement to platforms to screen and filter out business that offer illegal and unsafe products and content. According to Parliament, the new framework should also address the practices of large platforms that hinder the entrance of fresh, however, possibly small competitors facing unfair market access rules.
EDPB releases Guidelines on Data Protection by Design and Default
On October 20, the European Data Protection Board after public consultation adopted its final version of the Guidelines on Data Protection by Design and Default. These guidelines provide clarification on the nature of Article 25 of GDPR, which holds the requirement to ensure the data protection principles and data subject’s rights and freedoms by design and default and technical and organisational measures, as well as necessary safeguards are implemented. In addition, the guidelines also tackles with the implementation of principles enshrined in Article 5 of GDPR. The guidelines also contain a list of key designs and default elements, and practical examples of implementation, as well as recommendations for controllers and processors on how to best reach data protection by design and default in cooperation.
Matiss Liepins is Compliance Officer at Erremme Business Advisors Ltd and may be contacted on email@example.com