Data Protection Authorities

Last week, the European Data Protection Supervisor (the “EDPS”), in collaboration with European consumer organisation BEUC, hosted a joint conference on Big Data: individual rights and smart enforcement in Brussels (for the conference agenda, see here).  The conference brought together leading regulators and experts in the areas of competition, data protection and consumer

Today, the German supervisory authorities (“German DPAs”) responsible for data protection at federal and state (Länder) level published a position paper on the EU-U.S. Safe Harbor (available in German – see here).  This 14-point position paper follows a meeting that these authorities held last week.  Key points include:

  • following the Safe Harbor

On October 1st, 2015, the Court of Justice of the EU rendered its judgment in the Weltimmo case (C-230/14).  The case addressed two important aspects of EU data protection law, namely applicable law and the scope of the territorial powers of data protection authorities.

The case arose out of a dispute between Weltimmo, a company registered in Slovakia, which operates property dealing websites concerning Hungarian properties, and the Hungarian data protection authority.  Several advertisers lodged a complaint with the data protection authority, which imposed a fine on Weltimmo for a violation of the Hungarian Law on Information.Continue Reading EU’s Highest Court Rules on Applicable Law and Territorial Powers of the National Data Protection Authorities

 

  1. The CJEU “Right to be Forgotten” Ruling.  In May 2014, the Court of Justice of the European Union (CJEU) delivered an important judgement in a referral from Spain’s National High Court involving Google, a Spanish national, and the Spanish data protection authority (Case C-131/12).  The CJEU’s decision re-interpreted European data protection law to include a so-called “right to be forgotten” that enabled individuals to request search engines to block links that appear on searches of their names if the links go to information that is incomplete, inaccurate, irrelevant, or otherwise damaging to an individual’s privacy.  (This right is limited in the case of public figures, however.)  The decision also found that Google was subject to European data protection law because it operated subsidiaries in Europe whose business was to raise advertising revenues in relation to the search engine’s data processing activities.  The decision triggered an immediate tidal wave of tens of thousands of requests to Google and other search engines that continues to raise controversies to this day.
  1. CJEU strikes down the Data Retention Directive as invalid. In April 2014, the CJEU took the rare step of annulling the controversial Data Retention Directive, which mandated the systematic (“bulk”) retention of communications metadata by telecommunications companies in the EU, for potential access by law enforcement authorities (see our blog post here).  The Court criticised the Directive’s indiscriminate targeting of suspects and non-suspects alike, and the law’s general lack of safeguards, finding that it amounted to an “interference with the fundamental rights of practically the entire European population” contrary to Articles 7 and 8 of the Charter of Fundamental Rights of the EU.  The Directive’s invalidation raised questions about the continuing validity of the national laws that had implemented the Directive throughout the EU.  In the UK, this lead to the accelerated adoption of substitute legislation, the Data Retention and Investigatory Powers Act 2014 (“DRIPA”), and its implementing regulations.
    Continue Reading Top 10 International Privacy Developments of 2014

The 35th International Data Protection and Privacy Commissioners Conference, which comprises national, regional and local data protection and privacy authorities from all five continents, convened in Warsaw last week. The Conference adopted a total of nine resolutions and a declaration, which is the highest number of resolutions since the Conference’s first annual meeting back in 1979. This year’s resolutions focus on two main topics:

The 35th International Data Protection and Privacy Commissioners Conference, which comprises national, regional and local data protection and privacy authorities from all five continents, convened in Warsaw last week. The Conference adopted a total of nine resolutions and a declaration, which is the highest number of resolutions since the Conference’s first annual meeting back in 1979. This year’s resolutions focus on two main topics:

  • Internet and technology issues, such as

    • web tracking
    • profiling
    • apps
    • openness and privacy notices

  • International enforcement coordination

Continue Reading Web Tracking, Profiling, Mobile Apps, Privacy Notices and More Effective International Enforcement Coordination Among Hot Topics of the 35th International Conference of Privacy Commissioners

On 16 October 2012, the Court of Justice of the European Union (“CJEU”) ruled in favour of the European Commission in its claim against Austria that the Austrian Data Protection Authority, the Datenschutzkommission (“DSK”), was not independent from the Austrian government as required under Article 28 of the EU’s Data Protection Directive. The Commission’s action was supported by the European Data Protection Supervisor (“EDPS”); Austria’s defence was supported by Germany.

Article 28, which was the focus of the case, requires data protection authorities to “act with complete independence in exercising the functions entrusted to them”. This principle is also made clear in the Charter of Fundamental Rights of the EU and in the Treaty on the Functioning of the EU (“TFEU”).Continue Reading The European Court of Justice Rules That Austria’s Data Protection Authority Is Not Sufficiently Independent