Washington’s My Health My Data Act (“HB 1155” or the “Act”), which would expand privacy protections for the health data of Washington consumers, recently passed the state Senate after advancing through the state House of Representatives.  Provided that the House approves the Senate’s amendments, the Act could head to the governor’s desk for signature in the coming days and become law.  The Act was introduced in response to the United States Supreme Court’s Dobbs decision overturning Roe v. Wade.   If enacted, the Act could dramatically affect how companies treat the health data of Washington residents. 

This blog post summarizes a few key takeaways in the statute.

Continue Reading Washington’s My Health My Data Act Passes State Senate

On March 24, 2023, the Austrian Supervisory Authority (“Austrian SA”) held that a credit referencing agency (“Agency”) breached the GDPR by unlawfully processing personal data obtained from a third party in order to process it to conduct credit assessments.  It decided that the Agency breached the GDPR’s principle of lawfulness because it did not have a valid legal basis to process the personal data.  This case will be relevant for organizations assessing their lawful basis for processing personal data.

Continue Reading Austrian Supervisory Authority Issues Decision on the Collection of Personal Data by Credit Referencing Agency

On March 2, 2023, the Court of Justice of the EU (“CJEU”) decided, in case C-268/21, that the GDPR applies to the production of evidence in civil court proceedings. The case sets limits on, but does not preclude, the production of personal data in court proceedings. 

The case arose from a dispute between a construction company and its customer concerning payment for construction works. The customer requested a Swedish court to order the construction company to provide a copy of its electronic staff register containing, among other things, the identity of the people involved in the construction works and the hours they had worked – construction companies are required to maintain such a registry under Swedish tax law. The construction company opposed the order, claiming that the reuse of the register in the context of a civil dispute was incompatible with the initial purpose of the register and therefore not allowed under GDPR. The Swedish Supreme Court referred the matter to the CJEU seeking answers on (i) whether the GDPR applies to the production of evidence containing personal data in court proceedings; and (ii) whether national courts, when assessing whether the production of evidence containing personal data has to be ordered, should have regard to the interests of the data subjects concerned. 

The CJEU found that the production of evidence containing personal data ordered by a court in the context of judicial proceedings constitutes data processing under the GDPR. The CJEU also held that, in this case, providing the register under a court order served a different purpose (i.e., civil proceedings) from the one for which the data had been collected initially (i.e., tax compliance).

However, according to the court, this “secondary use” of the register was permissible on the basis of Article 6(1)(e), (3) and (4) GDPR, because the “secondary use” was made under a national or EU law seeking to safeguard an objective referred to in Article 23(1) of the GDPR. The CJEU held that the proper administration of justice – for example through the production of documents to court – was one of those objectives. The result of this is that, in assessing whether disclosure of documents in court proceedings is consistent with GDPR, national courts will have to conduct an assessment on a case-by-case basis of whether the relevant provisions of national or EU law under which the disclosure are being disclosed meet one of those objectives in Article 23(1) of the GDPR and whether the disclosures are necessary and proportionate to meet those objectives. Where only a partial disclosure of personal data is justified, the court should consider data minimization measures, such as pseudonymization.  

Other national developments

Similar questions have been raised at the national level.

On March 8, 2023, the French Court of Cassation held that the right to obtain evidence in civil procedures can justify the production of documents affecting the personal lives of third parties. The case related to the production of pay slips of other employees, which were essential evidence for the claimant’s allegation that their employer had violated equal-pay laws. The Court held that such production of documents was permissible provided that the documents formed essential evidence for the claimant’s claim, and that the interference with privacy was proportionate to the aim pursued. However, courts will still have to limit access to documents to what is strictly necessary. 

On January 11, 2023, the Italian Garante decided that the production in civil law proceedings of a former consultant’s email communications was unlawful under data protection law. The dispute arose from a complaint concerning a company’s access to e-mails sent by a former consultant using their company e-mail account. In the context of civil proceedings, which occurred following the termination of the consultant’s agreement with the company, the company accessed the e-mails and produced some of them as evidence.

The Garante decided that the right to produce evidence does not waive the right to data protection, especially where the data concerned (electronic communications) is subject to special guarantees of secrecy under the Italian Constitution. In particular, the Garante held that the company’s legitimate interest in processing personal data to defend its own rights in court did not invalidate the consultant’s right to protection of their personal data. Unlike the two decisions above, this case involved the proactive disclosure of a third party’s personal data in a proceeding by one of the parties – not a document production ordered by a court.

                              *                             *                             *

Covington’s Data Privacy and Cybersecurity Practice monitors CJEU and national cases closely and reports on relevant Court decisions and Advocate General opinions. If you have any questions about the interaction between data protection and local laws we are happy to assist.

On February 28, 2023, the European Data Protection Board (“EDPB”) released its non-binding opinion on the European Commission’s draft adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”).  The adequacy decision, once formally adopted, will establish a new legal basis by which organizations in the EU (as well as the three EEA states of Iceland, Liechtenstein, and Norway) may lawfully transfer personal data to the U.S., provided that the recipient in the U.S. certifies to and abides by the terms of the DPF (see our previous blogpost here). 

The Commission sought the EDPB’s opinion pursuant to Article 71(1)(s) of the GDPR.  The EDPB welcomes the fact that elements of the DPF represent a substantial improvement over the Privacy Shield, which was annulled by the EU Court of Justice (“CJEU”) in Schrems II (see our previous blogpost here).  Nonetheless, the EDPB notes some concerns and seeks clarification on certain aspects of the DPF from the Commission.  For example, the EDPB welcomes the establishment of a specific mechanism by which non-U.S. persons may seek redress for certain U.S. government surveillance of their personal data, but calls on the Commission to closely monitor the implementation of this mechanism in practice.

Continue Reading EDPB Releases its Opinion on the Proposed EU-U.S. Data Privacy Framework

On February 3, 2023, the German Data Protection Conference (“Datenschutzkonferenz”, “DSK”) published its decision, dated January 31, 2023, on the data protection assessment of access possibilities for third country public authorities to personal data processed by an EU/EEA-based subsidiary of a third country-based parent company pursuant to Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

Firstly, the DSK states – deviating from a decision of the Public Procurement Chamber Baden-Württemberg in July 2022 – that the mere risk that third country public authorities or a third country-based parent company of an EU/EEA-based company could instruct it to transfer personal data to a third country does not constitute a data transfer within the meaning of Art. 44 et seq GDPR.

However, the DSK highlights that the controller must take this risk into account when assessing the processor’s reliability pursuant to Art. 28(1) GDPR. The DSK takes the view that the reliability assessment of an EU/EEA-based processor with a parent company in a third country requires an assessment of all circumstances of the individual case. The relevant criteria for the assessment include, for example, the risk that the third country-based parent company will instruct the EU/EEA-based subsidiary to transfer personal data to a third country, or assurances given by the third country-based parent company as to how it will deal with conflicts between EU law and law of the third country and whether the EU/EEA-based processor and the third country-based parent company can comply with these assurances. It’s also necessary to assess whether and if so, to what extent the EU/EEA-based processor and/or the data it processes are covered by third-country law obligations and/or practices. If the EU/EEA-based processor and/or the data it processes are covered by the third-country law and/or practices, it needs to be assessed whether the EU/EEA-based processor provides sufficient guarantees to prevent processing operations that are unlawful under the standards of the GDPR or the applicable Member State law, in particular processing without or against the instructions of the controller based on obligations under third country law.

The DSK noted that, if there is risk that third-country law and/or practices may require unlawful processing under EU law by the EU/EEA-based subsidiary of a third country-based parent company, such processing by the subsidiary as a EU/EEA-based processor is not in itself sufficient to achieve reliability under Article 28(1) of the GDPR. If no guarantees can be provided, this shortcoming must be compensated for by additional technical and/or organizational measures. With regard to appropriate measures, the DSK refers to the recommendations of the European Data Protection Board (“EDPB”) on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, dated June 2021, which should be applied accordingly.

The DSK concludes the decision by announcing that it will promote further discussion of this issue in the EDPB.

On February 9, 2023, the Court of Justice of the EU (“CJEU”) released two separate rulings on the dismissal of data protection officers (“DPOs”) under the German Federal Data Protection Law (“German DPL”) (C-453/21 and C-560/21).  The main question in both cases was whether Section 6(4) of the German DPL which permits the dismissal of a DPO with “just cause” is compatible with the GDPR.  In short, the CJEU (i) found that the provision was compatible with the GDPR because EU member states can use “just cause” as a threshold for dismissal as long as this does not undermine the objectives set for DPOs under the GDPR, and (ii) clarified the criteria EU member states should take into account to determine whether there is a conflict of interest.

Continue Reading Court of Justice of the EU Clarifies Rules on Data Protection Officers’ Dismissal and Conflicts of Interest

On January 12, 2023, the Court of Justice of the EU (“Court”) decided that the GDPR’s right of access gives a data subject the choice between asking a controller for (i) the identity of each data recipient to whom the controller will or has disclosed the data subject’s personal data or (ii) only the categories of data recipients.  The controller must comply with the data subject’s request, unless it is impossible to identify those recipients (e.g., because they are not yet known) or the controller demonstrates that the data subject’s access request is “manifestly unfounded or excessive.”

Continue Reading Court of Justice of the EU Decides that GDPR Right of Access Allows Data Subjects to Request the Identity of Each Data Recipient

The Colorado Attorney General released updated draft rules interpreting the Colorado Privacy Act on December 21, 2022 (“Draft Rules”).  These revisions follow a series of stakeholder sessions on November 10th, 15th, and 17th.  The Attorney General will convene a formal rulemaking hearing on February 1, 2023.  In advance of the formal rulemaking hearing, stakeholders may submit written comments for consideration. 

Continue Reading Colorado Attorney General Releases Revised Colorado Privacy Act Draft Rules

On December 15, 2022, the Advocate Generals (“AG”) of the Court of Justice of the European Union (“CJEU”) issued two separate opinions in cases C‑487/21 and C‑579/21 on the right of access, pursuant to Article 15 GDPR.  The first case concerns the proper interpretation and application of Article 15(3), which permits a data subject to obtain a “copy” of their personal data, among other things. The second case concerns whether the right of access includes the right to receive the identity of the controller’s employees, who are processing the data subject’s personal data in the scope of their employment.

Continue Reading CJEU’s Advocate General Issues Opinions on the GDPR’s Right of Access to Personal Data

The upcoming date of December 27, 2022, marks the end of the roughly one year and a half-long transition period that companies had to replace any the old versions of the standard contractual clauses for international transfers of personal data by the new standard contractual clauses, which the European Commission adopted on June 4, 2021.  As of December 27, 2022, EU Supervisory Authorities may start GDPR enforcement proceedings against any companies that still on to the old version of the standard contractual clauses.

Covington is well placed to assisting clients in amending their contracts to take into account the new standard contractual clauses and, more generally, to ensure compliance with the GDPR rules on international data transfers.

Continue Reading Countdown for Implementing the New EU Data Transfer Contracts and Overview of other EU Transfer Developments