Tag Archives: Court of Justice of the European Union

Is Your Cookie Policy Right?

Legal news, , , , , , , ,

In a recent decision by the Court of Justice of the European Union in case C-673/17 against Planet49 GmbH, the issue of consent was analyzed on the basis of the ePrivacy Directive and the GDPR.

The case regarded a preliminary question by the German Federal Court of Justice on the validity of consent given through a pre-ticked checkbox, which the user must deselect to refuse his or her consent.

The Court analyzed the features of consent under the ePrivacy Directive (“freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed” by reference to the Data Protection Directive) and in the GDPR (“any freely given, specific, informed and unambiguous indication of the data subject’s wishes”).

The Court concluded that the user is required to “give” consent and to provide an “indication”, which “points to active, rather than passive, behavior.” Therefore, an opt-out consent is not validly given.

You may want to check if your website has a passive mechanism to accept cookies (including a mechanism whereby “continuing to browse the website means acceptance of these cookies”): under the Court’s decision described above, it is possible that such a passive consent would be regarded invalid.

This conclusion would appear to contradict the previous guideline by the Italian Data Protection Authority providing that “if the user continues browsing by accessing any other section or selecting any item on the website (e.g. by clicking a picture or a link), he or she signifies his or her consent to the use of cookies.”

Further, the Court set forth that “the information that the service provider must give to a website user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.

Recent Data Protection Developments

Legal news, , , , , ,

There are a few interesting developments in the area of data protection that you may have missed and we can recap for you:

  • CONDITIONS TO PROCESS CERTAIN DATA ISSUED BY THE ITALIAN DATA PROTECTION AUTHORITY. According to section 9 paragraph 4 of the GDPR, Member States are entitled to introduce additional conditions for the processing of genetic, biometric or health data. On July 29, 2019 the final version of such conditions issued by the Italian Data Protection Authority has been published on the Official Journal. Such conditions apply to processing of data (i) in employment relationships, (ii) by associations, (iii) by private investigators, (iv) that are genetic or (v) for purposes of scientific research.
  • RIGHT TO BE FORGOTTEN. On September 24, 2019 the European Court of Justice has issued a judgment on the right to be forgotten in case C‑507/17 against Google Inc. The Court has ruled that “there is no obligation under EU law, for a search engine operator who grants a request for de-referencing made by a data subject, as the case may be, following an injunction from a supervisory or judicial authority of a Member State, to carry out such a de-referencing on all the versions of its search engine.” While the right to be forgotten must be enforced in all Member States, there is no obligation to do that in all national search engines. The Court, however, added that a supervisory or judicial authority, after balancing all rights concerned, would be able to order de-referencing on all search engines in the world since “EU law does not currently require that the de-referencing granted concern all versions of the search engine in question, it also does not prohibit such a practice.” Given the reaction to the judgment by the Chairperson of the Italian Garante (the data protection authority) Mr. Antonello Soro, it cannot be excluded that that the Garante may issue a universal, rather than EU-wide, dereferencing order.
  • PROCESSING FOR “OWN PURPOSES”. A med-tech company has been sanctioned for having used patient data (medical scans) in a public tender process and in a subsequent litigation in an anonymized form. The company had been appointed by the hospital as a data processor but, the Garante ruled, had further processed such patient data for an own purpose rather than for the purposes mandated by the data controller (i.e., maintenance of equipment generating scans for patients).
  • AGAIN ON THE RIGHT TO BE FORGOTTEN. In a decision by the Italian Garante dated July 24, 2019 Google LLC has been ordered to de-reference from its search engine news about criminal facts occurred in 2007 for which an individual, without any public role, had been condemned, but who had been fully rehabilitated.
  • CONSUMER CREDIT CODE OF CONDUCT. On September 19, 2019 the Italian Garante approved a new code of conduct for companies operating in the areas of consumer credit, credit worthiness analysis and payment punctuality.

 

Art. 29 Working Party on EU-US Privacy Shield: Trust Not Yet Restored For Transatlantic Data Flows

Legal news, , , , , , , , , , , ,

Only few months after the 2015 Court of Justice of the European Union (CJEU) landmark decision that put an end to the Safe Harbour system, the EU Commission proudly announced a new framework agreement with the US authorities, allegedly providing strong safeguards, sufficient to “enable Europe and America to restore trust in transatlantic data flows” (Commissioner Věra Jourová).

According to the Commission’s press release, the Privacy Shield’s guarantees include:

  • strong obligations on companies and robust enforcement;
  • clear safeguards and transparency obligations on US government access;
  • a redress possibility through an independent Ombudsperson mechanism;
  • effective protection of EU citizens’ rights through various measures (a specific timeline for resolving complaints , a free of charge alternative dispute resolution solution, as well as the possibility for EU citizens to lodge complaints with their national Data Protection Authorities, who will work with the Federal Trade Commission to solve them).

Nevertheless, the newly issued opinion of the Art. 29 Working Party (“WP29”) already raised strong criticism against the Privacy Shield, tempering the Commission’s enthusiasm. Although WP29 did not abstain from underlining the improvements the Privacy Shield offers in comparison to the invalidated Safe Harbour decision, its concerns seem to eclipse those positive features, leading to the overall negative assessment of the new framework. Moreover, the impression is that the Privacy Shield led to more uncertainty, leaving everyone frustrated, with the exception of those authorities that negotiated it.

But what are, then, according to WP29, the improvements offered by the Privacy Shield? On the other hand, what major concerns does it raise? Finally, does it provide for adequate answers to post-Safe Harbour issues?

Firstly, it must be recognized, as WP29 certainly does, that the Privacy Shield represents a large step forward from Safe Harbour in terms of data protection. And, one could argue, it couldn’t be otherwise, since the Safe Harbour decision dates back sixteen years ago, before Facebook, the social network, big data era and the emergence of encryption vs. surveillance-like debates.

However, WP29 welcomes the additional recourses made available to individuals to exercise their rights, together with the extensive attention dedicated to data accessed for purposes of national security and law enforcement. Increased transparency measures are also appreciated by WP29: both those offered by the US administration on the legislation applicable to intelligence data collection and those provided through the introduction of two Privacy Shield Lists on the US Department of Commerce website (one containing the records of those organizations adhering to the Privacy Shield and one containing the records of those that have adhered in the past, but no longer do so).

Unfortunately, it seems that, these (few), general, positive notes are by far neutralized by the much more incisive negative remarks made by the WP29. WP29 points out the inadequate safeguards set forth to protect some key data protection principles under European law: the data retention principle is not expressly mentioned by Privacy Shield instruments (nor it can be clearly construed from their current wording) and onward transfers of EU personal data to third Countries are insufficiently framed. Despite the EU Commission’s enthusiastic press releases, WP29 underlines how, from the documents signed  by US authorities, it cannot be fully excluded that US administrations will continue the collection of massive and indiscriminate data. And one cannot abstain from noting how crucial the latter aspect is, being one of the main reasons that led the CJEU to invalidate the Safe Harbour decision. Moreover , WP29, while recognizing the effort to create additional oversight mechanisms, considers those efforts not satisfactory: the new redress mechanisms, in practice, may prove to be too complex and difficult to use and, more specifically, the capability of the Ombudsperson mechanism to be truly independent from US governmental authorities is strongly questioned. The lack of clarity of the new framework is also stigmatized by the WP29 by calling for a glossary of terms to be included in the negotiated instruments, in order to ensure that the key data protection notions of the Privacy Shield will be defined and applied in a consistent way. Lastly, the WP29 points out, rightly, how the newly issued Privacy Shield documents already appear out-of-date, considering the approval and forthcoming enter into force of the EU data protection reform, which will bring important improvements on the level of data protection offered to individuals, not at all reflected in the Privacy Shield.

The adequacy of the Privacy Shield to address the issues raised after the CJEU decision invalidating Safe Harbour is hence, at least, arguable. The significant uncertainty created after the fall of Safe Harbour is not only far from being clarified but, possibly, worsened. The major concerns raised by the CJEU have not been adequately tackled, especially if one considers the absence of clear-cut undertakings of the US authorities on mass surveillance programs by security intelligence agencies. Regulatory costs on companies and governmental agencies will not therefore be balanced by stability, certainty and higher levels of fundamental rights protection, leaving everyone dissatisfied.

So, what’s next for Privacy Shield? Another advisory decision is awaited from Article 31 Committee after the second half of May. Then, different options are available but, basically, the implementation of Privacy Shield could take place with or without addressing WP29’s most important concerns. In any case, legal challenges before the CJEU, as well as claims brought to national data protection authorities, will always be open and much likely to happen, given the overall uncertainty characterizing transatlantic data flows: trust is, indeed, very far from being restored.