protectia datelor

DATA PROTECTION in June 2020 AT EUROPEAN AND NATIONAL LEVEL

By Mugurel Olariu, RPD protectie date

Data protection authorities – at European and national level, are working in the context of the COVID-19 pandemic to facilitate the correct application of data protection legislation by Member States and controllers. The EDPB made, among other things, two statements on 16.06.2020, which aim at reopening of borders and, respectively, the interoperability of contact tracking apps following the COVID-19 outbreak. We further present their activity, as follows:

I. At the EUROPEAN LEVEL, the European Data Protection Board – EDPB, held a series of four plenary meetings – from the 30-th to the 33-rd, being organized remote meeting / on-line, on 2, 9, 16 and 30 June, as follows:

02.06.2020:
Key Provision ESG – Response letter to NGOs and statement on the Hungarian decrees.1

09.06.2020:
2. Current Focus of the EDPB Members:
2.1. Open letter from NOYB to the EDPB and others.
2.2. Questionnaire on opening borders.
2.3. Response letter to ENISA advisory group.
3. FOR DISCUSSION AND/ OR ADOPTION – Expert Subgroups and Secretariat:
3.1. BTLE ESG – Response letter to MEPs on use of Clearview AI by law enforcement authorities.
3.2. Social Media ESG:
TikTok Task Force.
TikTok draft letter to MEP Körner.2

16.06.2020:
2. Current Focus of the EDPB Members:
2.1. Statement regarding the opening of borders and the protection of data protection right.
3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat:
3.1. TECH ESG:
3.1.1 Statement on interoperability of contact tracing applications.
3.1.2 Response letter to MEP Korner on encryption.
3.1.3 Response letter to MEP Korner on Art 25.
3.2. ITS ESG – Letter to the Committee of European Auditor Oversight Bodies (CEAOB) on Public Company Accounting Oversight Board (PCAOB) arrangements.3

30.06.2020:
2. Current Focus of the EDPB Members:
2.1. EDPB action plan.
2.2. Presentation of the European Commission report on the GDPR evaluation.
3. FOR DISCUSSION AND/OR ADOPTION – Expert Subgroups and Secretariat:
3.1. State of play: current actions.4

At its 32-nd Plenary meeting, on 16.06.2020, the EDPB also adopted two statements of interest in the context of the COVID-19 pandemic, which refers to:
✔ the processing of personal data in the context of reopening of borders following the COVID-19 outbreak.5
Certain aspects of data protection legislation are specified, namely: lawfulness, fairness and transparency, purpose limitation, data minimization, storage limitation, security of the data, data protection by design and by default, Data Protection Impact Assessment, sharing of personal data, automatic individual decision making, which must be taken into account by Member States.
✔ the data protection impact of the interoperability of contact tracing apps.6
Contact tracing applications can only be a temporary solution as part of a comprehensive public health strategy to fight the current pandemic. For each introduced measure, it needs to be assessed whether a less intrusive alternative can achieve the same purpose, and ensured that any measure applied is effective and proportionate.

DATA PROTECTION

II. At the NATIONAL LEVEL, the National Authority for the Supervision of Personal Data Processing – ANSPDCP, posted on its website, the details of three sanctions, a statement by the EDPB and a communication from the European Commission, as follows:

11.06.2020:
– The operator Estee Lauder Romania SRL was sanctioned with a fine in the amount of 14483.4 lei, the equivalent of 3,000 EURO.7 Notification mechanism: complaint. Motivation: illegal processing by collection and disclosure. Violation: art. 6, 7 and 9 of the GDPR.
– The operator of Telekom Romania Communications SA was sanctioned with a fine in the amount of 14524.2 lei, the equivalent of 3,000 EURO.8 Notification mechanism: complaint. Motivation: insufficiency of security measures / accuracy of personal data collected by telephone. Violation: art.32 of the RGPD.

18.06.2020:
– The operator Enel Energie Muntenia SA was sanctioned with a fine in the amount of 19368.4 lei, the equivalent of the amount of 4,000 EURO.9 Notification mechanism: complaint. Motivation: insufficiency of security and confidentiality measures / prevention of disclosure of personal data to unauthorized persons. Violation: art.32 of the RGPD.

24.06.2020:
– EDPS Declaration – interoperability of Covid 19.10 The declaration emphasizes the need to respect the transparency and legality of the processing involved, the rights of users, respect for the principle of data minimization and ensure their confidentiality. Also, interoperability should not be used as a reason to extend the collection more than necessary.
It is also noted that Guidelines 4/2020 on the use of location data and contact tracking tools in the context of the COVID-19 pandemic were adopted on 21 April 2020.11, being provided also the Romanian version of the guidelines, by translating them by the EDPB members.

30.06.2020:
– Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation (GDPR)12.
The press release.13 of the European Commission reviews the main findings of the GDPR examination, being mentioned first of all the fact that several levers are put available to citizens and raising awareness of their rights.14 – The GDPR enhances transparency and gives individuals enforceable rights, such as the right of access, rectification, erasure and opposition, as well as the right to data portability.
It is also stated that “The key objective at this stage is to support a harmonized and consistent implementation and enforcement of the GDPR throughout the European Union. This requires a strong commitment from all actors:
✔ ensuring that national legislation, including sectorial legislation, is fully in line with the GDPR;
✔ Member States to allocate to national data protection authorities the human, financial and technical resources necessary for the correct application of data protection rules;
✔ data protection authorities to develop effective working procedures on the functioning of cooperation and coherence mechanisms, including on procedural issues;
✔ using the tools provided by the GDPR to facilitate the application of the rules, for example through codes of conduct;
✔ closely monitors the application of GDPR in connection with new technologies such as artificial intelligence, Internet of Things, blockchain.
With regard to international work, the Commission will continue to focus its efforts on promoting the convergence of data protection rules as a way to ensure safe international data flows.”

————————————————————————
1. See at https://edpb.europa.eu/sites/edpb/files/files/file1/20200602plenagenda_public_en.pdf
2. See at https://edpb.europa.eu/sites/edpb/files/files/file1/20200609plenagenda_public_en.pdf
3. See at https://edpb.europa.eu/sites/edpb/files/files/file1/20200616plen_publicagenda_en.pdf
4. See at https://edpb.europa.eu/sites/edpb/files/files/file1/20200630plenagendapublic.pdf
5. See at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statementreopeningbordersanddataprotection_en.pdf
6. See at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_statementinteroperabilitycontacttracingapps_en_0.pdf
7. See at https://www.dataprotection.ro/?page=Amenda_pentru_incalcarea_RGPD_iunie_2020&lang=ro
8. See at https://www.dataprotection.ro/?page=O_noua_sanctiune_pentru_incalcarea_RGPD_iunie_2020&lang=ro
9. See at https://www.dataprotection.ro/?page=Amenda_pentru_incalcarea_RGPD_Enel_iunie2020&lang=ro
10. See at https://www.dataprotection.ro/?page=declaratie_EDPB_iunie_2020_Covid_19&lang=ro
11. See at https://www.dataprotection.ro/servlet/ViewDocument?id=1899
12. See at https://www.dataprotection.ro/?page=Comunicat_30_._06_._2020&lang=ro
13. See at https://www.dataprotection.ro/servlet/ViewDocument?id=1925
14. Today 69% of the population above the age of 16 in the EU have heard about the GDPR and 71% of people heard about their national data protection authority, according to results published in a survey from the EU Fundamental Rights Agency.