The overview of interesting Data & IT Law articles and news in July 2017!
New papers about consumer protection under GDPR
Several authors published new articles on various consumer rights under GDPR.
Eoin O´Dell published an article “Compensation for Breach of the General Data Protection Regulation” via SSRN. It deals with an analysis of Article 82 of the Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR). The author argues that “it is not clear that Article 82(1) GDPR is directly horizontally effective though the Court (eventually, if and when it is asked) is likely to interpret it broadly. This means that the safest course of action at this stage is to provide expressly for a claim for compensation in national law.“
Richard Steppe published an article “Online price discrimination and personal data: A General Data Protection Regulation perspective” in Computer Law & Security Review. It is based on an application of the concepts of personal data and automated processing to several discriminatory pricing cases and examples. The paper also includes a list “of rights and obligations pertinent to online discriminatory pricing, such as transparency obligations and the right to access, as well as the right to rectify the data on which price discrimination is based, and the right not to be subject to certain discriminatory pricing decisions.“
WP29 Group´s new opinion on data processing at work
The EU Article 29 Working Party (WP29) released an opinion on data processing at work. It updates the previous WP29 Opinion No. 8/2001 in the area of employment data processing.
At Dogana Project, the authors analyzed the opinion and highlighted several findings:
- “employers should always bear in mind the fundamental data protection principles, irrespective of the technology used;
- the contents of electronic communications made from business premises enjoy the same fundamental rights protections as analogue communications;
- consent is highly unlikely to be a legal basis for data processing at work, unless employees can refuse without adverse consequence;
- performance of a contract and legitimate interests can sometimes be invoked, provided the processing is strictly necessary for a legitimate purpose and complies with the principles of proportionality and subsidiarity;
- employees should receive effective information about the monitoring that takes place, and
- any international transfer of employee data should take place only where an adequate level of protection is ensured.”
Moreover, it also addresses the new obligations pursuant to the GDPR. They include privacy by design and by default, data protection impact assessment obligations or a possibility of Member States to specify additional rules based on the Article 88 of the GDPR.
The authors also refer to in-employment screening part of the opinion and argue that “employers could monitor the LinkedIn profiles of former employees that are subject to non-compete clauses as long as the employer can prove that, first, such monitoring is necessary to protect his legitimate interests. Second, there are no other, less invasive means available. And finally, that the former employees have been adequately informed about the extent of the regular observation of their online public communications.”
GDPR Compliance Questionnaire by German Public Authority
The Bavarian Data Protection Authority for the Private Sector (“BDPA”) had published a questionnaire for the GDPR implementation a long time ago. However, it was in German language.
This month the BDPA published an English version of the questionnaire. These questions may be used as a basis for a GDPR implementation.
The questionnaire includes these sections:
- Structure and responsibility in the company
- Overview of processing activities
- Involvement of third parties
- Transparency, information duties and assurance of data subject rights
- Accountability, risk management
- Data breaches
The list of questions is not final and may be altered in individual cases. However, it is possible to see that it has a very similar structure to the GDPR Compliance Test published at www.dataitlaw.com.
Papers about Pirate Bay Decision, Risk-based approach and third party law analysis by CJEU
Many authors published new scholar articles about various topics. We will introduce them briefly.
Eleonora Rosati analyzed The Pirate Bay decision of the Court of Justice of the EU (CJ EU), case no. C-610/15. The authors focuses on the judgment from the current EU policy called ‘value gap proposal’. „The judgment reinforces the position of the European Commission, especially the basic idea that the making available, by a hosting provider, of third-party uploaded copyright content may fall within the scope of the right of communication to the public.“
Claudia Quelle published an article “The ‘Risk Revolution’ in EU Data Protection Law: We Can’t Have Our Cake and Eat It, Too”. The author argues that “controllers are entrusted with the responsibility not only to improve upon the data protection obligations specified by the legislature, but also to second-guess their use in the case at hand. Section IV argues that none of the obligations of the controller were fully risk-based to start with. In fact, the risk-based approach is in direct conflict with the non-scalability of the provisions in Chapter III (rights of the data subject).“
Christopher Kuner published an opinion about third country law in CJ EU decisions. The author analyses the situation, when “the standard for determining the validity of a Commission decision is whether third country law is ‘essentially equivalent’ to EU law, which by definition must involve an examination of the third country law with which EU law is compared.“ The author argues that “the CJEU should accept and be more open about the role that third country law is increasingly playing in its data protection judgments, and will likely play in other areas as well.”