The Irish Court of Appeal has held that while the definition of “personal data” is very broad, to interpret a document as constituting personal data for the sole reason that it was generated as a result of a complaint made by the data subject, would be to “overstretch” the concept of personal data. In a related judgment, the Court found that the data subject was entitled only to a “copy“ of his personal data, and not the data in its “original“ form.
On the 23 July 2020, the European Data Protection Board (EDPB) adopted FAQs on the Schrems II judgment. The FAQs provide answers to questions received by EU data protection authorities (DPAs) and will be developed and complemented by the EDPB in due course.
In brief, the EDPB clarifies:
- No grace period – The Court of Justice of the European Union (CJEU) has invalidated the Privacy Shield with immediate effect. The judgment does not provide any grace period during which companies can keep transferring personal data to the US without assessing the legal basis for the transfer.
- Use of SCCs for EEA-US transfers – US law (i.e. Section 702 FISA and EO 12333) does not ensure an essentially equivalent level of protection. Whether or not you can transfer personal data to the US based on the Standard Contractual Clauses (SCCs) will depend on the result of your adequacy assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures, along with SCCs, would have to ensure that US law does not impinge on the adequate level of protection they guarantee.
The Court of Justice of the European Union has delivered its eagerly awaited decision, in Schrems II (Case C-311/18).
Why is the case important?
Schrems II calls into the question the ability of companies to lawfully transfer data from the EU to the United States (US) and other countries.
The GDPR contains strict rules on transferring data from the EU to third countries, and this case deals with the compatibility of these rules with surveillance laws in other countries.
What has the Court decided?
The headline outcome is that:
- The Privacy Shield decision is invalid with immediate effect – this means that companies can no longer rely on a Privacy Shield certification when transferring personal data to the US.
- Standard contractual clauses (SCCs) are valid – but their use is subject to certain pre-conditions and ongoing obligations.
In a recent case, the Court of Justice of the European Union (CJEU) considered whether a functional shape is precluded from copyright protection. The case was referred from the Commercial Court of Liège (Belgium) (C-833/18).
The original case before the Commercial Court of Liège concerned a claim for copyright infringement brought by an English company, Brompton Bicycle Ltd (Brompton). Since 1987, Brompton has marketed and sold folding bicycles. The Brompton Bicycle, which was protected by a patent until 1999, has the distinct feature of having three different positions: (i) a folded position; (ii) an unfolded position; and (iii) a stand-by position enabling it to stay balanced on the ground.
When a South Korean company, Get2Get, started marketing a bicycle that could also be folded into the same three positions as the Brompton Bicycle, Brompton brought a claim for copyright infringement. In its defence, Get2Get claimed that the shape of the Brompton Bicycle could not be protected by copyright law because its appearance is dictated by the technical solution sought, which is to ensure that the bicycle can be folded into three different positions.
In recent weeks, employers have been busy implementing the recommendations set out in the Government’s Return to Work Safely Protocol, in preparation for employees returning to the workplace. Somewhat surprisingly, the Protocol makes no reference to the need to comply with data protection law, yet the measures recommended by the Protocol involve the processing personal data, in particular health data.
There has been a growing concern amongst employers in regard to how to ensure compliance with data protection law when implementing the protocol, in particular in relation to the issue and retention of pre-return to work questionnaires; use of contact tracing logs; and temperature testing. The Department of Business, Enterprise and Innovation (DBEI) and the Data Protection Commission (DPC) have now published guidelines clarifying how employers can implement the Protocol in a manner that complies with their data protection obligations.
The Guidelines clarify that:
- Temperature testing should not yet be considered a requirement under the Protocol. If employers are carrying out such testing, for instance in high risk workplaces, then they should consider conducting a DPIA and ensure the testing is necessary and proportionate.
- Pre-return to work questionnaires completed by employees should collect the minimum information necessary and should not be retained once employees return to the workplace.
- Where contact tracing logs are kept by an employer in respect of employees who are in close contact for extended periods of time, where social distancing is difficult to maintain, such logs should generally only be retained for the purpose of facilitating the HSE’s official contact-tracing procedures and to act as a memory aid for employees regarding close contacts. The data should only be retained for as long as necessary for this purpose. Employers should avoid disclosing information relating to a particular employee’s Covid-19 diagnosis to other employees.
The DPC’s Guidance is available here.
The DBEI Guidance is available here.
The register of one-stop-shop decisions is now live on the EDPB website. It contains access to summaries and final decisions adopted by the Lead Supervisory Authorities (LSAs), working together with other concerned authorities. The decisions concern a range of data protection compliance issues, in particular, data subject rights; lawfulness of processing, data breaches, security, and transparency requirements. In many cases, the LSAs concluded there was no violation of the GDPR. In the event there was a violation, the LSAs, for the most part, issued reprimands or compliance orders, rather than fines.
The Data Protection Commission (DPC) has published a two year Regulatory Activities Report, which reviews the range of its regulatory tasks from 25 May 2018 to 25 May 2020.
The Report notes that the purpose of the two-year assessment is “to provide a wider-angled lens through which to assess the work of the DPC since the implementation of the GDPR; in particular, to examine wider datasets and annual trends to see what patterns can be identified.”
The European Data Protection Board (EDPB) has adopted a statement on restrictions on data subject rights in connection with the state of emergency in Member States. The EDPB emphasises that, despite the international crisis, the GDPR remains applicable and allows an efficient response to the pandemic, while still protecting fundamental rights and freedoms.
The EDPB’s statement was made in response to a Hungarian government decree dated 4 May 2020. The decree sets out certain derogations from the GDPR and, in particular, allows data controllers involved in Covid-19 related data processing to suspend the fulfilment of data subjects’ requests under Articles 15-22 GDPR (such as the right of access or erasure) until the state of emergency is revoked in Hungary. The decree does not indicate any time limit in respect of the state of emergency.
As part of their lockdown exit strategy, governments around the world are launching Apps with contact tracing functions. The idea behind these Apps is that users will be alerted when another App user has tested positive to Covid-19, thereby enabling them to take appropriate action, such as self-isolating or undergoing testing.
It remains to be seen how effective contact tracing Apps will be in the fight against Covid-19, but it is clear that in order for the Apps to work, they need to be widely downloaded and used. The popularity, acceptance, and use of the Apps will undoubtedly depend on the extent to which the Apps enable individuals to control the collection and use of their personal data.
This briefing note considers the key data protection and privacy law issues arising in relation to contact tracing apps.
The Belgian Data Protection Authority (Belgian DPA) recently imposed a €50,000 fine on a large telecommunications operator (the company), for failing to comply with the GDPR in relation to the appointment of their Data Protection Officer (DPO). The Belgian DPA decided that the DPO’s tasks and duties under the GDPR conflicted with its role as Head of Audit, Risk and Compliance.