Undoubtedly, 2019 was a busy year in the area of privacy. In Portugal, the GDPR Enforcement Law was approved and the Portuguese Authority (CNPD) took the controversial decision of “disregarding” some of the respective rules. The EDPB and the TJUE were also active, issuing several decisions and opinions, some very interesting. At the end of the year, the Advocate General in case Schrems II gave us excellent news by confirming the validity of standard contractual clauses for transferring data outside the EU. Finally, both the CNPD and the other European supervisory authorities have issued the first fines under GDPR.

On our side, we delivered the first Privacy Training Series which included several topics, such as DPIAS, data breaches, data controllers/processors/joint controllers, marketing consent and GDPR implementation law. We benefited from a specialized and participative audience that contributed to an enriching discussion about the cases approached and the success of the sessions.

Here are some of the highlights of the year 2019.

1. National Legislation

  • Law No. 58/2019 of 8 August, which ensures the implementation in Portugal of Regulation (EU) 2016/679 of the Parliament and of the Council of 27 April 2016 on the protection of individuals, as regards the processing of personal data and the free movement of such data (GDPR). To consult, click here.
  • Law No. 59/2019 of 8 August, adopting the rules on the processing of personal data for the purpose of preventing, detecting, investigating or prosecuting criminal offenses or the execution of criminal sanctions, transposing Directive (EU) 2016 / 680 of the European Parliament and of the Council of 27 April 2016. To consult, click here.
  • Law No. 46/2019 of July 8th, which amends the regime for the exercise of private security activity and self-protection, which makes the first amendment to Law No. 34/2013, of May 16th. To consult, click here.

2. European Data Protection Board (EDPB)

  • January 2019: Opinion on the legal basis for the processing of personal data in the context of clinical trials, in particular as regards the primary use of data for the clinical trial protocol itself and secondary use for other scientific purposes. To consult, click here.
  • March 2019: Opinion on the interaction between the ePrivacy Directive and the GDPR. The EDPB points out that the ePrivacy Directive (and its transposition laws) is lex specialis for GDPR, which means that whenever there is a “special rule” regarding the processing of personal data that is more specific than the rule of the GDPR, it takes precedence over the latter. To consult, click here.
  • July 2019: The preliminary version of the guidelines on the processing of personal data through video surveillance systems were published for public consultation,
  • October 2019: The final version of the guidelines on the scope of Article 6 (1) (b) of the GDPR in the context of information society services. The legal grounds for the processing of data for performance of a contract to which the data subject is a party or for pre-contractual diligences, including behavioural advertising, are addressed. To consult, click here.
  • November 2019: The final version of the guidelines on the territorial scope of the GDPR. The guidelines aim to provide a common interpretation to the various Member States to assess whether a particular processing activity falls within the territorial scope of the GDPR. To consult, click here.
  • November 2019: Published, for public consultation, the preliminary version of Guidelines 4/2019 regarding privacy by design and by default. To consult, click here.
  • December 2019: Following the EDPB opinion (July 2019) on drafting standard contractual clauses (SCCs) for contracts between controller and processor submitted to the Council by the Danish Supervisory Authority, the final text was published by the EDPB. To consult, click here.
  • December 2019: Publication of the draft guidelines on the right to be forgotten in search engine cases. To consult, click here.
  • The EDPB approved, throughout the year, the lists of personal data processing activities subject to Data Protection Impact Assessments, pursuant to Article 35 (4) of the GDPR. To see the national list, click here.

3. European Court of Human Rights (ECHR)

  • LÓPEZ RIBALDA & others v. SPAIN: The ECHR's Grand Chamber reversed an earlier decision issued by the Chamber, arguing that the use of CCTV by a Spanish employer to detect workplace theft does not infringe Article 8 of the European Convention on Human Rights. To consult, click here.

4. CNPD

  • Deliberation 2019/494: which disregards some rules of Law No. 58/2019, of 8 August, because they allegedly contradict the provisions of the GDPR. To consult, click here.
  • Deliberation 2019/495: interpretative resolution on the exemption from fines of public entities, provided for in Article 44 (2) and Article 59 of Law 58/2019 of 8 August. The CNPD considers that such a reasoned exemption can only be requested after a crime has been committed. To consult, click here.
  • Guidelines 1/2019: Regarding the processing of personal data in the context of election campaigns and political marketing. To consult, click here.
  • Guidelines 2/2019: Regarding the processing of personal data in the context of intelligent electricity distribution networks. To consult, click here.

5. Other Supervisory Authorities

CNIL (French Authority)

  • Updated guidelines on the use of cookies and similar technologies. To consult, click here.
  • Opinion on facial recognition and the legal, technical and ethical aspects that should be taken into account. To consult, click here.

ICO (UK Authority)

  • Updated guidelines on the use of cookies and similar technologies. To consult, click here.
  • Guidelines on the handling of special categories of data. To consult, click here.
  • Preliminary version of the updated guidelines regarding data access requests by data subjects. To consult, click here.

AEPD (Spanish Authority)

  • Updated guidelines on the use of cookies and similar technologies. To consult, click here.

6. Court of Justice of the European Union

  • Fashion ID Judgment (C-40/17): Established that website operators are joint controllers with Facebook in handling data collected and transmitted to Facebook through a 'like' plug-in, which allows Facebook to collect data from the operator's website. To consult, click here.
  • Planet49 Judgment (C-673/17): This decision confirms that the declaration of consent through a pre-ticked box is not valid as consent for the use of cookies. The controller should provide the user with information about cookies, including the duration of the processing and whether or not it allows access by third parties. To consult, click here.
  • Google Judgment (Right to be Forgotten) (C-136/17): Clarifies that when accepting a request to de-reference the search engine operators are not required to de-reference the results on all of their search engine’s domain name extensions (i.e., worldwide), but only on the domain names corresponding to the EU Member States’ versions of the search engine To consult, click here.
  • Buivids judgment (C-345/17): The CJEU clarifies that the publication, without restriction of access, of a video on YouTube (or in another video internet site) on which users can upload, view and share, and making accessible personal data to an indefinite number of persons, constitutes processing of personal data which is not part of the exercise of purely personal or domestic activities. According to the Court, such publication may constitute processing of personal data for purely journalistic purposes, within the meaning of the GDPR, provided that it follows from that video that such recording and publication is for the sole purpose of disclosing information, opinions and ideas to the public. To consult, click here.
  • Schrems II (Case C-311/18): The Advocate General of the Court of Justice of the European Union (CJEU) recommended that the CJEU uphold the validity of the Standard Contractual Clauses (SCCs) as an appropriate mechanism for transfer of personal data outside the EU. To consult, click here.

7. Sanctions

The fines imposed by the European supervisory authorities on controllers and processors for infringing personal data protection legislation increased exponentially throughout 2019. The increase was noticeably steeper from July 2019.

Here are some of the fines imposed to data controllers and processors in Portugal and in other EU countries in 2019.