DATA PROTECTION IN DECEMBER 2023

By Mugurel Olariu, RPD protectie date

The European Data Protection Board – EDPB developed and published several working tools in December, among which we mention:

✔ Urgent binding decision 01/2023 requested by the Norwegian SC for the ordering of final measures regarding Meta Platforms Ireland Ltd (Art. 66(2) GDPR).*1

Following the EDPB’s urgent binding decision of 27 October 2023, the Irish Data Protection Authority (IE DPA) adopted its final decision on 10 November 2023 imposing a ban on Meta Ireland Limited (Meta IE) for processing personal data in behavioral advertising purposes based on contract and legitimate interest. The EDPB’ urgent binding decision followed a request from the Norwegian Data Protection Authority (NO DPA) to order final measures in this matter which would have effect throughout the European Economic Area (EEA).

EDPB President Anu Talus said: “After careful consideration, the EDPB considered it necessary to request the IE DPA to impose an EEA-wide processing ban on Meta IE. Already in December 2022, binding decisions of the EDPB clarified that the contract is not an adequate legal basis for Meta’s processing of personal data for behavioral advertising. In addition, Meta was found by the IE DPA to have failed to demonstrate compliance with orders imposed at the end of last year. This led to the use of art. 66 emergency procedure – a derogation from the usual cooperation procedure that can only be used in exceptional circumstances.”

We note that the decisions of the European authorities specialized in data protection were also based on the CJEU Judgment handed down in case C-252/21 having as its object a request for a preliminary decision made pursuant to Article 267 TFEU by the Oberlandesgericht Düsseldorf (Higher Regional Court of Düsseldorf, Germany), by decision of 24 March 2021, received by the Court on 22 April 2021, in the proceedings Meta Platforms Inc., formerly Facebook Inc., Meta Platforms Ireland Ltd, formerly Facebook Ireland Ltd, Facebook Deutschland GmbH v. Bundeskartellamt (Federal Competition Office, Germany).*2

✔ GDPR application successful, but sufficient resources are needed to meet future challenges. *3

During its last plenary meeting, the EDPB adopted its contribution to the European Commission’s report on the application of the GDPR. The EDPB considers that the application of the GDPR in the first 5 and a half years was successful. Although a number of important challenges lie ahead, the EDPB considers it premature to revise the GDPR at this time and calls on the co-legislators to quickly adopt the new regulation laying down additional procedural rules regarding the cross-border application of the GDPR. In addition, the EDPB points out that the DPA and the GDPR need sufficient resources to carry out their tasks further.

EDPB President Anu Talus said: “The GDPR has strengthened, modernized and harmonized data protection principles across the EU. The EDPB Guidelines have played a key role in making individuals and businesses aware of their rights and responsibilities under the GDPR. We will continue to support the implementation of the GDPR, particularly by SMEs, and raising awareness of the GDPR in general. In addition, cooperation between DPA and GDPR enforcement has gained momentum. More than ever, the EDPB is committed to ensuring effective and consistent enforcement of the GDPR.”

✔ The Cookie Pledge Initiative should help protect users’ fundamental rights and freedoms. *4

The EDPB adopted a letter in response to the European Commission on the voluntary initiative on the cookie commitment. The EDPB welcomes the Commission’s initiative, which aims to help protect users’ fundamental rights and freedoms, empower them to make effective choices and increase transparency towards users.

The cookie pledge initiative was developed by the European Commission in response to concerns about the so-called “cookie fatigue” phenomenon and consists of a voluntary business commitment to simplify cookie management and personalized advertising options for consumers. On 10 October 2023, the European Commission asked the EDPB to consider whether any of the draft Principles of Engagement would be contrary to the GDPR and the ePrivacy Directive.

The draft employment principles would ensure that users receive concrete information about how their data is processed, as well as the consequences of accepting different types of cookies. Users would therefore have greater control over the processing of their data. In addition, with the draft principles, consent should not be requested again for one year after it has been refused, this is an important step towards reducing cookie fatigue.

In addition, the EDPB signals that adherence to the cookie commitment principles by organizations does not equate to compliance with the GDPR or the ePrivacy Directive. Data protection authorities remain competent to exercise their powers when necessary.

————————————————–
*1 https://edpb.europa.eu/news/news/2023/edpb- publishes-urgentbinding-decision-regarding-meta_ro
*2 https://curia.europa.eu/juris/document/document.jsf?text=&docid=275125&pageIndex=0&doclang=RO&mode=lst&dir=&occ=first&part=1&cid=1667915
*3 https://edpb.europa.eu/news/news/2023/edpb-application-gdpr-successful-sufficient-resources-are-necessary-tackle_en
*4 https://edpb.europa.eu/news/news/2023/edpb-cookie-pledge-initiative-should-help- protect-fundamental-rights-and-freedoms_ro

Articolul precedentICE says “Goodbye” to London
Articolul următor7777 gaming unveils exclusive partnership with Azerlotereya