DATA PRIVACY ALERT 6 July 2015
Austrian Court Rejects Facebook Privacy Case
The Vienna Regional Court has found that a European “class action” against Facebook is not admissible on procedural grounds. Mr Schrems, an Austrian law student, is suing Facebook for €500 (US$557) in damages for each of the suit’s participants, for a total of €12.5 million in damages, arguing that Facebook has breached EU rules on data protection. The Vienna court stated that it didn’t have jurisdiction in the case because Mr Schrems used Facebook for professional reasons and therefore can’t be considered a consumer.
It also said the class-action-style lawsuit that he is planning can’t be brought before an Austrian court. Mr Schrems has announced that the case will be appealed to the Austrian Higher Regional Court.
Belgian Constitutional Court Dismisses Data Retention
In a recent ruling, the Belgian Constitutional Court declared the Belgian law on data retention invalid. The law in question implemented the EU directive on data retention that was declared invalid by the European Court of Justice in 2014. The constitutional courts of Germany, Bulgaria and Netherlands have already dismissed similar national data retention laws.
China Adopts New Law on National Security
On July 1 2015, China’s top legislature adopted a new national security law highlighting cybersecurity and demanding the establishment of a coordinated, efficient crisis management system. The new law, which will be signed into force by President Xi Jinping on July 8, 2015, covers a wide spectrum of areas including defence, finance, science and technology, culture and religion. Outer space activities and assets, as well as those at ocean depths and in polar regions are also covered by the new legislation. The new law also includes a clause on cyberspace sovereignty, making the Internet and IT, infrastructure, information systems and data in key sectors “secure and controllable.”
Article 29 Data Protection Working Party Publishes Opinion on Utilisation of Drones
The Article 29 Data Protection Working Party has published an opinion, adopted on 16 June 2015, which provides guidelines to address the data protection rules in the context of drones. The opinion covers, amongst others, the risks in terms of safety, third party liability and privacy, the obligations which should be met before operating a drone and recommendations to European and national policy makers for the strengthening of a framework which guarantees respect for all fundamental rights at stake.
Member States Must Publish Lists of Beneficiaries of Agricultural Payments
According to new EU transparency rules that have been in force since 1 June 2015, EU Member States are obliged to publish lists of beneficiaries of agricultural payments. Such lists must be published by each Member State’s Ministry of Agriculture. They need to include the name of the beneficiary, the amount of the payments and a description of the project in question. These rules are part of the 2013 reform of the Common Agricultural Policy. They also belong to the broader objective of the Commission to improve transparency regarding the use of the EU budget. However, the transparency of agricultural payments must be balanced with the protection of the beneficiaries’ personal data, the Commission stated.
German Draft Law on Data Retention
As required by the Directive 98/34/EC, the German Federal Government has notified the draft law on data retention to the EU Commission. The draft stipulates that telecommunication providers must retain data like phone numbers, time and place of communication, and IP addresses for four or 10 weeks. After expiry of the retention period, the data retained must be deleted, according to the draft. The EU Commission and EU Member States can comment on the draft within three months (till 7 September 2015). Considering the ECJ ruling on data retention, critical statements on the draft can be expected.
In a joint resolution, German data protection officers took a critical stand towards the draft law. The officers expressed serious doubts whether the draft is compatible with German constitutional and EU law, particularly basic rights such as secrecy of telecommunication and privacy. The Conference suggests discussing the draft law in an open debate with broad public participation.
Hessian Privacy Commissioner Calls for Stricter Legislation on Data Fencing
The Hessian Privacy Commissioner, Eva Kühne-Hörmann, has criticized the federal draft law on the introduction of data fencing as a criminal offence for being too soft. According to Kühne-Hörmann, important elements of the Hessian legislative initiative like criminal penalties higher than two or three years of imprisonment are missing in the federal draft law. Kühne-Hörmann sees the need to react more decisively to the tendency that hacking becomes more and more international and professional. Citizens thus need to be better protected in areas like telecommunication, digital payment and social networks.
Federal States Testing Police Body Cameras
In a press release, the Rheinland-Pfalz Ministry of the Interior announced that the use of open body cameras (bodycams) by specially trained policemen will be tested from 1 July 2015. According to the Ministry, this pilot project shall find a solution for the growing violence against policemen. Bodycams are supposed to be a preventive and de-escalating measure particularly in inspections. Rheinland-Pfalz is the second Federal State after Hessen to introduce police bodycams. The implications for data privacy law are yet to be seen.
Information Commissioner’s Office Publishes Annual Report for 2015
The Information Commissioner’s Office published their latest annual report on 1 July 2015. In the report, Information Commissioner Christopher Graham points to the strengthening of his regulatory powers to show how data protection legislation continues to develop. The report focuses on what the ICO has achieved in the past year, including being given powers to compulsorily audit NHS bodies for their data handling, making it an offence to force a potential employee to make a subject access request and changing the law to make it easier to issue fines to companies behind nuisance calls and texts.