GDPR related updates across the EU Vol.3
- The Data Privacy Framework (DPF EU-U.S.) and the adequacy decision of the European Commission
On 10th July 2023 the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework (hereinafter; DPF). The DPF is an EU–U.S. data transfer framework that was agreed in 2022. The adequacy decision concludes that the U.S. ensures an adequate level of protection, compared to that of the EU, for personal data transferred from the EU to U.S. companies participating in the DPF. The said U.S. companies will be deemed to provide “adequate protection” under Article 45 of the GDPR for personal data transfers received from the EU and the European Economic Area (hereinafter; EEA). As a result of this adequacy decision, personal data can flow freely and safely from the EEA to the U.S. without any further conditions. European data protection authorities have developed a list of elements that must be taken into account for this assessment, such as the existence of core data protection principles, individual rights, independent supervision and effective remedies. In its adequacy decision, the Commission has carefully assessed the requirements that follow from the DPF as well as the limitations and safeguards that apply when personal data transferred to the U.S. are accessed by U.S. public authorities, in particular for criminal law enforcement and national security purposes. The new obligations were geared to ensure that data can be accessed by U.S. intelligence agencies only to the extent of what is necessary and proportionate, and to establish an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes.
- The newly established DPRC by the U.S. Government
Following the above framework and the adequacy decision, the U.S. Government has established a new two-layer redress mechanism, with independent and binding authority, to handle and resolve complaints brought by any individual whose data has been transferred from the EEA to companies in the U.S., regarding the collection and use of their data by US intelligence agencies.
The newly established Data Protection Review Court (hereinafter; DPRC) will grant access to EU citizens to an independent and impartial recourse mechanism, which will investigate and resolve complaints and which will also issue binding remedies. Individuals can submit a complaint to their national data protection authority (hereinafter; DPA), which then will be transmitted to the U.S. by the European Data Protection Board (hereinafter; EDPB). The complaints will firstly be investigated by the so-called ‘Civil Liberties Protection Officer' of the US intelligence community, whose decisions later on can be appealed before the newly created DPRC. The Court is composed of members from outside the U.S. Government, who are appointed on the basis of specific qualifications. If the DPRC finds that data was collected in violation of the safeguards set in the Commission’s adequacy decision, it can order the deletion of the data.
- EDPB informs stakeholders about the implications of the DPF
The EDPB adopted an information note for individuals and entities transferring data to the U.S. This note aims to provide concise and objective information regarding the impact of the adequacy decision on transfers to the U.S., the redress mechanisms available under the DPF, and the new redress mechanism in the area of national security. The information note specifies that in the area of national security, EU individuals can submit a complaint to their national DPA to make use of the new redress mechanism regardless of the transfer tool used to transfer personal data to the U.S.
- IMY orders CDON, Coop, Dagens Industri and Tele2 to stop using Google Analytics
IMY (Swedish DPA), following complaints against companies which transfer personal data to the United States, in violation of Article 46 of the GDPR, carried out audits regarding four companies (CDON, Coop, Dagens Industri & Tele2). IMY found that those companies transferred personal data to the U.S. through Google Analytics, which is a tool for measuring and analyzing traffic to websites. Coop and Dagens Industri took extensive protective technical supplementary measures to comply with the GDPR. From IMY's audits, it appears that none of the companies' additional technical security measures were sufficient. Consequently, IMY issued an administrative fine of 12 million SEK (Swedish Krona) (approximately, €1,027,550) against Tele2 and 300,000 SEK (approximately, €25,689) against CDON, since they have not taken the same extensive protective measures as Coop and Dagens Industri. Tele2 has recently stopped using the statistics tool on its own initiative. IMY ordered the other three companies to stop using the tool.
- Cyprus: Signing a memorandum of cooperation between the Commissioner for Personal Data Protection and the Commissioner for Communications on matters relating to their joint or separate responsibilities
The new Memorandum repeals and replaces the previous Memorandum, which was signed on 19 May 2017.
The purpose of the new Memorandum is to establish a framework of procedures and to adopt and implement appropriate mechanisms for more efficient and effective cooperation between the two Commissioners in receiving and/or processing:
- notifications of personal data breach incidents by providers of publicly available Electronic Communications Services; and,
- incidents from basic service operators, critical infrastructure operators and digital service providers leading to personal data breaches.
- 1million kroner (approximately, €89,000) per day fine against Meta for user data breach by the Norwegian DPA
Norway's DPA announced on 17th July that it considered the behavioral advertising practices of Meta to be illegal, and it was therefore imposing a temporary country-wide ban on Meta's tracking and profiling of users. Its decision was based on an earlier decision by Ireland's Data Protection Commission, on behalf of all data protection authorities across the European Economic Area (EEA). They warned Meta that the company risked being fined if it did not comply with the said decision. The Court of Justice of the EU in a judgement issued on 4th July, found that Meta’s behavioral advertising still did not comply with the law. Consequently and since Meta did not take any steps towards compliance by 4th August, a temporary ban of such advertising has been in effect and fines against Meta over privacy violations against Norway’s citizens, to the amount of 1 million Norwegian kroner per day from 14th August,have been imposed. Meta appealed the decision to a Norwegian court and is actively seeking an interim order against the imposition of the fine.
- Piraeus Bank fined €210,000 for unlawful processing of personal data and breach of the right of access
A citizen filed a complaint against Piraeus Bank for transferring his personal data to Hellenic Loan Services Association, without having any legal reason and right to do so, since there was no longer any claim against him. After the filing of the complaint, it was found that a list was systematically generated, including persons who had a zero balance and therefore did not belong on the said list. Based on that list, an informative letter was sent, informing the recipients that their data would be transferred to the Hellenic Loan Services Association. It was found that there was no legitimate basis for the processing of the relevant data, namely the production of the list and the sending of the letter to the data subjects. Consequently, the Greek DPA found that there has been a breach of the principle of legality (Articles 5(1)(a) and 6 of the GDPR) by the Bank. Regarding the right of access, the Greek DPA considered that the Bank, upon the claimants’ request to access his data, by limiting itself to withdrawing the initial letter, did not satisfy the applicant's right of access, as it should have replied to the applicant that his data were not processed for the purpose stated in the letter and that were not transmitted to the Hellenic Loan Services.
- EDPB settles dispute on TikTok processing of children’s data
The EDPB adopted a dispute resolution decision concerning a draft decision of the Irish DPA regarding TikTok Technology Limited (hereinafter; TTL). Other EU DPAs had previously raised objections to the draft decision of the Irish DPA as lead supervisory authority regarding TTL, hence the binding decision addresses legal questions arising from those objections. The EDPB binding decision ensures the correct and consistent application of the GDPR by the national DPAs. The decision is part of an investigation launched in 2021 into whether TikTok had violated the EU’s data protection rules, by failing to ensure that its age verification processes sufficiently protected the privacy of children between the age of 13 and 17. TikTok's level of transparency on how it processes children's data is also being investigated. The Irish DPA shall adopt its final decision on the basis of the EDPB binding decision taking into account the EDPB's legal assessment.