Towards a Europe of data protection: the road is long.

Legal Watch No. 36 – June 2021

Towards a Europe of data protection: the road is longThe General Data Protection Regulation raised many hopes in terms of clarity and effectiveness when it came into force.

While the European Directive it replaced already provided a relatively precise and binding legal framework, the GDPR intended to enable a harmonized implementation of these principles, wherever the companies concerned are located in the European Union.

The applicable sanctions, revised upwards, also had to be assessed by the supervisory authorities using a coherent analysis grid.

In fact, there seem to be many pitfalls that still limit this long-awaited harmonization.

German Commissioner Johannes Caspar, who is coming to the end of his term after twelve years at the head of the Hamburg state supervisory authority, persists and signs this June by denouncing the flaws in the implementation of the GDPR.

The cause is long and complex procedures before a common position can be found by all the authorities meeting within the European Data Protection Board (EDPB).

The GDPR has established a so-called "one-stop shop" procedure, which provides for the competence of a lead authority, that of the country of the main establishment of the company concerned by the investigation.

This lead authority must nevertheless work with the other national authorities concerned at the various stages of the procedure.

In practice, there is a centralization of investigations under the Irish authority, which is competent to lead most of the cases against GAFAM established on its territory. Twenty-eight procedures are reportedly underway with the said authority, which is criticized for its slow and lenient procedures regarding big techs such as Facebook and Twitter, which is reportedly giving rise to long and difficult discussions with its counterparts within the EDPS.

The Commissioner of the Hamburg Authority calls for clear and dissuasive signals to be given by the supervisory authorities in good time so that data controllers comply in a similar manner wherever they are located in the European Union, and without distortion of competition.

It should be noted that this issue was identified by the Committee itself in its 2020 annual report, and that improving cooperation between authorities is one of its priorities for 2021-2022.

Let us add that, although it suffers from procedural cumbersomeness, the "one-stop shop" system nevertheless has the advantage for any citizen of the European Union to be able to lodge a complaint with their national supervisory authority, even if the data controller is established in another country, with the competent authorities being responsible for cooperating in handling the complaint.

If the complainant is not satisfied with the outcome of the investigation, he or she may also seek redress in his or her own country.

The European Court of Justice also recalled in a judgment of June 15 the room for maneuver of authorities which are not the lead authorities in handling a cross-border complaint.

In the context of a dispute between Facebook (established in Ireland) and the Belgian data protection authority, the Court thus considered that the Belgian authority, although not the lead authority, could bring certain violations of the GDPR by Facebook before the Belgian courts.

These conditions are nevertheless limited to cases presenting an emergency (Article 66 of the GDPR) or to local cases (Article 56.2 of the GDPR). This ruling therefore does not signal the end of the one-stop shop, but tends to specify the exceptions to its application. The principle of cooperation between authorities thus remains the norm.

And also

France:

On June 30, the CNIL published the third version of its software designed to facilitate privacy impact analyses.

This new version guides managers in carrying out their impact analysis and enables the development of knowledge bases parallel to those provided by the CNIL.

The CNIL's restricted committee imposed a fine of 500,000 euros on the company Bricoprivé for

• Sending prospecting emails without individuals' consent, and failing to comply with several other GDPR obligations:
  • Failure to comply with the data retention periods that the company had set for itself,
  • Failure to comply with information obligations and the right to erasure of data, and
  • Lack of strong passwords regarding data security aspects.

The CNIL also noted the use of cookies without the user's consent.

Europe:

On June 4, the European Commission published a new version of the standard contractual clauses, intended to facilitate international data transfers.

These clauses take into account the consequences of the Schrems II ruling of the European Court of Justice concerning the risks of access to data by the authorities of third countries, particularly in a national security context.

At the same time, the European Data Protection Board issued recommendations on June 18 aimed at guiding data controllers in analyzing such risks of data interception and enabling them to adopt additional protective measures.

Artificial intelligence:

The European Data Protection Supervisor and the European Data Protection Board have jointly published a call for a ban on the use of AI for

• Automatic recognition of biometric data in public spaces,
• Social scoring including through social media, and
• The use of AI to identify people's emotional state.

This position echoes the publication of the European Commission's proposal on AI on April 21.

International data transfers:

The European Commission published its recommendations on 28 June adequacy decisions concerning the United Kingdom.

One concerns the requirements of the GDPR and the other the European directive on police processing.

A new element is that the Commission is inserting a "sunset clause" which limits the validity period of decisions to four years.

The decisions may be renewed if the level of protection in the UK still meets European requirements.

Areas of concern include Britain's plans for new trade and data free flow agreements with emerging economies.

Belgium is in the sights of the European Commission, which has initiated a GDPR infringement procedure regarding the independence of its data protection authority.

The reason is the membership of several of its members in government entities.

International :

An international coalition of more than 55 consumer protection, civil liberties and non-governmental organizations is calling for the ban on advertising based on tracking and profiling individuals.

The reason for this position was a report by the Norwegian Consumer Council, which revealed the consequences of surveillance practices in commercial matters for society.

On June 16, the European Commission initiated a procedure aimed at recognizing the adequacy of data protection in South Korea.

Chinese authorities announced on June 10 the adoption of a law concerning data security, which also aims to protect the rights and interests of the persons whose data is processed.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.