Draft ePrivacy regulation rejected by EU Council committee: In 2020 the EC will have to choose between re-drafting or withdrawal
Last Friday, the Council’s position on a draft ePrivacy Regulation was rejected by the Permanent Representatives Committee of the Council of the European Union (COREPER). This is a significant setback for the European lawmaker, as the ePrivacy Regulation is in the making for many years and should complement the GDPR on crucial topics such as cookies and unsolicited commercial advertising. A revised proposal for the new ePrivacy Regulation was issued by the Finnish presidency for review on 15 November with the aim to get it through to the European Commission meeting of 3 December 2019. However, too many Member State representatives have rejected the proposal. In 2020, the Commission, under respectively Croatian and German presidency, will have the choice to either withdraw the entire proposal, or to re-draft the proposal in a new attempt to get sufficient support for is. In practice this means that the rules in the EU around cookies and spam will remain a patchwork of national laws implementing the ePrivacy directive and that companies will have to check their compliance on a country-by-country basis.
More information available here.
The Dutch Data Protection Authority (Dutch DPA) recently announced their focus areas for the coming years, being: (1) data trading, (2) digital government and (3) artificial intelligence & algorithms. According to the Dutch DPA, the data privacy expectations are strongly influenced by the continued growth of the data society and the increase in data imbalance, digital injustice and the privacy awareness of users and the greater public. The Dutch DPA concludes stating that the protection of personal data is essential to our digital society, and that this has driven the selection of their three focus areas mentioned above.
More information can be found here (available in Dutch).
Case available here.
Recently, the Subdistrict Court ruled that the Dutch Employee Insurance Agency (UWV) acted in violation of the GDPR by sending automated communications to an employee’s new employer, concerning the employee’s continued state of sickness and a related obligation to apply for statutory sickness benefits. The employee suffered from a long period of sickness during her prior employment relationship. She had not, however, been in any state of sickness under her current employment. UWV failed to verify with the employee and instead relied on its internal systems which still indicated that the employee was sick. As a result, UWV shared sensitive personal data concerning the employee with her new employer, without any reasonable need for doing so. The Court ruled that UWV had to compensate for the employee’s damages. Noteworthy is that the amount of the damages awarded was very low and limited to € 250 only.
The Dutch Data Protection Authority (Dutch DPA) has recently investigated the data processing operations of MRDM, a third party IT Services provider which collects, processes and distributes individual patient-identifiable medical data and information for a number of hospitals in the Netherlands. The Dutch DPA has conducted an explorative inquiry regarding the storage, by MRDM's sub-processor, of patient data in the cloud. However, after having reviewed the standard operating procedures, the sub-processing agreements and having investigated the technical and organizational security measures, the Dutch DPA has decided not to commence a regulatory investigation into this matter. As the Dutch DPA is generally thorough in its reviews, this decision to not take further (enforcement) steps is a meaningful sign that GDPR compliance can be achieved in respect of cloud-based processing of patient data.
For actors such as hospitals, research institutions and other players in the healthcare sector, and their technology suppliers, the outcome of the DPA's exploration provides at least some comfort and guidance.
The notice of the Dutch DPA can be found here (available in Dutch).
Being half way the second year of GDPR, most of the national Data Protection Authorities in Europe have shed light on their enforcement priorities and communicated their sanctioning approaches and policies. In the meantime, a number of GDPR related enforcement actions have been issued across Europe, varying form a few hundred Euros (issued in Germany against an individual), up to 50 million Euros (issued in France against a technology company).
During our Ahead of Privacy event earlier this year, we launched the first version of our GDPR Enforcement Tracker that has now been added to our Global Knowledge Management solution. The updated Tracker provides a comprehensive overview of the EU enforcement actions since the introduction of the GDPR in May 2018.
Obviously, data privacy goes beyond the GDPR and its national implementation, with the ePrivacy/Cookie Directive as the most obvious example for Europe. Let alone the upcoming regulations in California (CCPA), Brazil (LGPD) and other geographies. The current version of our Enforcement Tracker looks through the European privacy lens. It also covers, beside the GDPR enforcement actions, relevant cases sanctioned under other regimes, such as ePrivacy, Cookie, competition or other laws we deem relevant in the privacy context.