CJEU delivers judgment on conditions for valid consent in an offline context

On 11 November 2020, the Court of Justice of the European Union (CJEU) in Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) (Case C-61/19) delivered its preliminary ruling on the issue of valid consent under the General Data Protection Regulation 2016/679/EU (GDPR) and Directive 95/46/EC. You can read the judgment here.

The CJEU held that a printed contract for mobile telecommunication services containing a clause stating that the customer has consented to the collection and storage of their identity documents does not constitute valid consent where the box referring to that clause has been pre-ticked by the data controller before the contract was signed.

The case follows up on the previous ruling in Planet49 (Case C-673/17) on which we commented last year here and here.

Continue Reading

The European Data Protection Board releases recommendations on supplementary measures following the Schrems II decision

On 11 November 2020, the European Data Protection Board (EDPB) released recommendations on supplementary measures for international transfers (here) and recommendations on the European Essential Guarantees for surveillance measures (here), following the Schrems II decision (see our previous blog here).

As a result of the Schrems II decision, data exporters who use certain transfer mechanisms as an appropriate safeguard for personal data during international transfers, such as Standard Contractual Clauses (SCCs), are required, on a case by case basis, to assess whether the law of the third country provides a level of protection that is essentially equivalent to that guaranteed in the European Economic Area (EEA). If such protections are not equivalent, data exporters should consider whether any supplementary measures can be implemented to fill the gaps in protection.

Continue Reading

CPRA: The next frontier in (California) privacy

Before the dust has even settled on many California Consumer Privacy Act (CCPA) compliance projects, California voters have welcomed the future of privacy by overwhelmingly approving Proposition 24: The California Privacy Rights Act (CPRA).  Building off of the CCPA framework, the CPRA expands the rights of California consumers, adds new responsibilities for both business and service providers, and creates a new state agency, the California Privacy Protection Agency (the Agency), to take over enforcement from the state Attorney General.  Here are the notable changes:

First, every business will be happy to know that the B2B and employee information sunsets have been extended until January 1, 2023 (after being extended by another year until 2022 by the legislature). Continue Reading

Comparing legal privilege when dealing with privacy issues in England and Wales and the United States

The protection afforded by attorney-client privilege brings about a candid conversation between lawyers and clients. Privilege can attach to communications covering a variety of topics, from responding to a data subject access request (DSAR) to handling a security incident or managing complex and time consuming investigations on a multinational scale. Different privilege rules may apply in different jurisdictions, and a privileged document in England or Wales may not be privileged in the United States.

Our recent client alert provides a summary of the key similarities and differences in relation to privilege across England, Wales and the United States.

ICO releases updated guidance on data subjects’ right of access

On 21 October 2020, almost a year after the UK’s Information Commissioner Office (ICO) provided draft guidance on the right of access, the ICO published its updated guidance on data subject access requests (DSARs), available here (Guidance).

In a previous post available here, we covered what DSARs are and the principles areas of focus of the draft guidance.

So, what has changed? Overall, the Guidance provides more in-depth advice and further examples to help organisations understand how they can meet Article 15 of the General Data Protection Regulation (GDPR) requirements in handling DSARs.

There are, however, three particular areas of note, where the ICO provided further explanation. Continue Reading

Germany’s next steps in digitization: Finally, the new Interstate Treaty on Media has been ratified by all German federal states

The Interstate Treaty on Media (Medienstaatsvertrag – MStV) has finally been ratified by all 16 German federal states and can now enter into force. On 28 October 2020, the Parliament of Mecklenburg-Vorpommern – the last German federal state to ratify the MStV – adopted the Act ratifying the MStV. Ratification of the MStV by all German federal states is a precondition for the MStV entering into force.

The MStV is the German implementation of the EU Audiovisual Media Services Directive 2010/13/EU, as amended by Directive 2018/1808/EU.

The MStV replaces the current Interstate Treaty on Broadcasting (Rundfunkstaatsvertrag – RStV) and is considered an important milestone in media policy. It is an essential part of the national efforts to modernise the media landscape and to make the German legislative framework fit for the next level of digital media. Consequently, the MStV focuses on services beyond the category of broadcasting, i.e., telemedia services, as well as on broadcasting. With media intermediaries, media platforms, user interfaces and video-sharing-services, the MStV applies to many players on the media market. Continue Reading

EDPB finalises guidelines on Data Protection by Design and by Default

On 20 October 2020, the European Data Protection Board (EDPB) met for its 40th plenary session. During the session, the EDPB adopted final guidelines on Data Protection by Design and by Default (DPbDD) (available here) (the guidelines). See our blog post on the draft DPbDD guidelines, available here.

As a quick reminder, the obligation to adhere to DPbDD, which is set out in Art. 25 GDPR, states that controllers must show they have:

  • Built in compliance measures, including appropriate technical and organisational measures, from the outset, which are continually monitored and updated during their processing of personal data (by design); and
  • Given consideration to their processing activities so that only personal data which is necessary for a specific purpose, is processed (by default).

The guidelines showcase how to effectively implement the principles relating to processing of personal data set out in Art. 5 GDPR, setting out key design and default elements, alongside practical examples, and that controllers must be able to demonstrate effectiveness of the measures implemented.

We previously mentioned when we discussed the draft guidelines on DPbDD that while DPbDD primarily concerns controllers, processors and other parties that work with controllers are also advised to take note, as demonstrating compliance with such obligations themselves may be a means to achieving a competitive advantage. This was reiterated by the EDPB in its press release accompanying the guidelines.

The guidelines also provide recommendations on how controllers, processors and third parties can cooperate to achieve DPbDD. For example, they should engage their Data Protection Officers at an early stage, consider using certification and/or codes of conduct to demonstrate compliance, and consider implementing contractual requirements on the processor, to help controllers demonstrate their compliance with DPbDD and the accountability obligation more broadly.

Nevada Attorney General Aaron Ford talks to Reed Smith about Nevada’s new data privacy law, consumer protection, and data breaches

In a recent Q&A with Nevada Attorney General (AG) Aaron Ford, the first term AG discusses Nevada’s new data privacy law (Senate Bill 220), which provides consumers with a right to opt out of the sale of their data. AG Ford also outlines his perspective on federal privacy law and his office’s data breach enforcement efforts. Lastly AG Ford discusses his view on children’s privacy and his office’s continued focus on privacy issues in 2021. Read more in the IAPP Privacy Advisor article here.

European Commission implements interoperable gateway for COVID-19 contact tracing and warning apps

Following a previous European Commission recommendation to support the gradual lifting of coronavirus (COVID-19) restrictions through mobile data and apps, on 19 October 2020, the European Commission has set up an EU-wide system for the interoperability of track and trace apps.

Background

National contact tracing and warning apps can play a key role in all phases of COVID-19 management by warning users if they had been in contact with someone who has indicated they tested positive for COVID-19 and giving appropriate health advice. Most EU Member States have developed national contact tracing and warning apps which can be used on voluntary basis.

The new ‘gateway’ system allows these national apps across the EU to talk to each other and exploits the full potential of national apps by moving towards a centralised system where they can be interoperable through a single gateway service.

The design of the gateway system builds on the set of technical specifications as set out in the EU Commission Guidelines for interoperability, EU toolbox and the EU Commission and European Data Protection Board guidelines on data protection for contact tracing and warning apps. Continue Reading

EDPB releases guidelines on relevant and reasoned objection

On 8 October 2020, the European Data Protection Board (EDPB) published new guidelines on relevant and reasoned objection under the General Data Protection Regulation (GDPR). The guidelines cover the cooperation and consistency provisions set out in Chapter VII of the GDPR, under which supervisory authorities have a duty to exchange all relevant information with each other and cooperate in an endeavor to reach consensus when they coordinate investigations that cross borders in the European Union (EU).

 Background

Under Article 60 of the GDPR, the lead supervisory authority (LSA) is required to submit draft decisions to the concerned supervisory authorities, who may then raise a “relevant and reasoned objection” to the LSA within a specific timeframe of four weeks. On review of the relevant and reasoned objection, the LSA can either follow the suggestions of the concerned supervisory authorities and produce a revised draft decision, or disagree with the objections and submit the matter to the EDPB for consideration under the GDPR’s consistency mechanism. Continue Reading

LexBlog