Member News, News

Loyens & Loeff: Data Protection and Privacy Update – February 2018

Loyens & Loeff –

February brought the following interesting data protection developments:

1. Update home market 

Please find a brief summary of the relevant developments in three of our home markets these being The Netherlands, Belgium and Luxembourg.

1.1. Netherlands

Education Executive Agency permitted to obtain travel data of students
On February 5, 2018, the Dutch Central Board of Appeal (Centrale Raad van Beroep, CRB) ruled that travel data indeed qualify as personal data, but that under certain circumstances, a supervisory body – such as the Education Executive Agency (Dienst Uitvoering Onderwijs, DUO) – is allowed to obtain such personal data. gency permitted to obtain travel data of students.

The case concerns a student who was receiving an additional scholarship on the basis of living independently from his or her parents. Another requirement for this scholarship is that the student must be living within the same municipality as where it has registered itself.
DUO regularly checks whether students meet these requirement in order to ensure that students are not receiving more scholarship than that they are entitled to. For this purpose, DUO occasionally checks the travel data of students to see whether they are often travelling within the area that they are registered in. 

The CRB ruled that such travel data qualifies as personal data, and that it therefore enjoys protection under privacy regulation. It however also ruled that supervisory bodies are within their right to request access to such data taking into account the purpose for such requests (i.e. combatting fraud), and considering that the travel data reveals limited information about the students.

This standpoint of the CRB did however not make DUO’s case against the student at subject much stronger as travel data carries little evidentiary value. There may very well be alternative reasons for the student’s unusual travel behavior. In the absence of further supporting evidence, the CRB ruled that the student remains entitled to the scholarship that it has been receiving.

You can read the full judgement here (only available in Dutch).

Municipalities collect more data than necessary
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has found that municipalities have been collecting more personal data than is necessary for the performance of their tasks under the social support act (Wet maatschappelijke ondersteuning, Wmo) and the youth act (Jeugdwet). It concerns the method in which two municipalities (of Nijmegen and of Zaanstad) process the personal data in a so-called self-reliance matrix (zelfredzaamheidsmatrix, ZRM).

ZRM is an instrument used to measure how self-reliant people are. Municipalities use the content during conversations that they have with residents for the purpose of determining the support and care that the residents may need (keukentafelgesprekken). ZRM contains a broad scope of data, including sensitive data relating to the physical and mental health of the residents, data concerning their financial situation, and any criminal convictions and offences. The AP has found that collecting such (sensitive and) extensive data is not necessary in order for municipalities to determine what care residents may be in need of. ZRM therefore contains data that is disproportionate, unnecessary and ungrounded, which is in breach with the Dutch Data Protection Act (Wet bescherming persoonsgegevens, Wbp)

In addition, municipalities have a duty of care (Article 15, Wbp) to ensure that professionals are capable of determining the relevant categories of personal data that they require. This means that municipalities have the responsibility to implement appropriate measures to enable professionals to have this capability, by providing trainings and adequate guidelines for instance. The AP has found that the municipalities have not fulfilled this duty of care as their current measures in this respect are insufficiently specific and clear. The AP has therefore urged the municipalities to adjust their practices in accordance with the findings of the AP.

The full report on the municipality of Nijmegen can be read here, and the full report on the municipality of Zaanstad can be read here (only available in Dutch).

1.2. Belgium

Privacy Commission vs. Facebook
On 16 February 2018, the Dutch Chamber of the Court of First Instance in Brussels (the Court) found Facebook guilty for violations of Belgian data protection law. Facebook has announced that it will appeal the decision.

The case has been ongoing since 2015 (read an earlier newsletter on this subject here) and after initial trials in summary judgment proceedings, it reached a first judgement on the merits earlier this month. 

On the merits of the case, Facebook was found to be lacking with regard to its transparency obligations as it insufficiently informs users about (inter alia) the data that it collects, for what purposes, how long it is kept for, and who has access to it. The Court also found Facebook to be lacking a legal basis for the processing. Furthermore, its methods of tracking online behavior of people, for instance on third party websites, and specifically when it concerns people who are not Facebook users, were found to be excessive.

Facebook has been sanctioned to delete all the data concerning Belgian citizens which it obtained illegitimately through its cookies and social plug-ins, also with regard to the Belgian citizens who were not Facebook users.  In addition, Facebook will be fined EUR 250.000 a day (or up to EUR 100.000.000) in the event that it does not comply with the court’s judgement.
We will of course keep you fully informed on this case.

GDPR Implementation law
The Belgian secretary of state for privacy (De Backer) announced the GDPR implementation act earlier this month, however the act is yet to be submitted to the Parliament. Belgium is currently transposing the GDPR into national law, and is considering various exemptions. For instance, the age of 13 for consent of minors (instead of 16) is one of the considerations. The secretary of state also announced that it wants the implementation act to be very broad and open when it comes to exemptions concerning archiving statistics and scientific research in order to stimulate innovation.
We will monitor this important development closely, and will update you accordingly.

Belgian Data Protection Authority taking shape
As per May 25, 2018, the current Belgian Privacy Commission will transform into the Data Protection Authority (Gegevensbeschermingsautoriteit, GBA). On February 12, 2018, the chamber of representatives published a notice on the Official Gazette with regard to the composition of the GBA, which will consist of a board of directors, a knowledge center, and a dispute chamber. The notice calls on candidates for the mandate of the DPA. The current president of the privacy commission (Willem Debeuckelare) has declared that he does not wish to be a candidate.

1.3. Luxembourg

Binding Corporate rules of PayPal approved
Following the separation of PayPal from the eBay Group in July 2015, PayPal wished to have its own set of Binding Corporate Rules (BCR’s) in order to maintain a high level of protection of the personal data that it processes.

BCR’s can be described as a code of conduct, outlining the internal rules for data transfers within a multinational organization, in which an affiliate located within the European Economic Area (EEA) transfers data to its affiliate located outside of the EEA.

As the nature of the business activities of PayPal involves a lot of transfers of personal data within its organization, but across jurisdictions, BCR’s are a convenient solution that enable PayPal to ensure appropriate safeguards for such data transfers (as is required under the General Data Protection Reregulation, GDPR (see Chapter V)).

In order to use BCR’s however, PayPal had to first appoint a lead authority. The role of the lead authority is to facilitate the authorization process of the BCRs. As PayPal’s European headquarters are based in Luxembourg, the National Commission for Data Protection in Luxembourg (Commission Nationale pour la Protection des DonnéesCNPD) was appointed as the company’s lead authority. PayPal then had to draft BCR’s in line with the requirements set up in the Article 29 Working Party papers. Once the CNPD approved the adequacy of the safeguards put in place in the BCR’s, these were circulated to the other European Data Protection Authorities (EDPA). The BCR’s have now been considered as final by all the EDPA’s, and PayPal can thus request authorization of transfers of personal data on the basis of its adopted rules.

Personal data breach notification form
The CNPD has published a notification form, accompanied by a FAQ section, with the objective to facilitate entities in preparing for (and reacting to) personal data breach instances. In Luxembourg, controllers are obliged to notify personal data breach instances to the Commission de Surveillance du Secteur Financier (CSSF)

More information on this can be read here (only available in French).

2. Data transfers outside of the EEA: update EU-US Privacy Shield and Model Clauses regime

2.1. Update Privacy Shield

Brief recap
Data transfers from EEA and to the U.S. are permitted if the receiving company has been certified under the EU-U.S. Privacy Shield, adopted on 12 July 2016 by the European Commission.
This self-certification mechanism is considered to provide adequate protection for the transfer of personal data to US companies, subject however to regular review. For more information on the EU-U.S. Privacy Shield, please see our Data Protection Alert on the adoption of the EU-U.S. Privacy Shield.

First annual review
On 18 October 2017, the European Commission (EC) published its report concerning its first annual review of the EU-US Privacy Shield. The objective of such reviews is to ensure that the privacy shield “ensures an adequate level of protection” for personal data transfers to the U.S.. The review covers all aspects of the Privacy Shield, among which its implementation, administration, supervision, and enforcement by the competent authorities and bodies.

Whilst the report concludes that the Privacy Shield is (for the time being) to be deemed adequate, it has provided a list of recommendations for further improvement, which include: 

  • companies should not be able to publicly refer to their Privacy Shield certification prior to such certification being granted and their company being added to the Privacy Shield list;
  • the US Department of Commerce (DoC) should conduct regular and proactive searches for false claims of participation in the Privacy Shield which can weaken the credibility of the system;
  • the DoC should regularly monitor compliance with the Privacy Shield;
  • the national data protection authorities and the DoC should further strengthen their awareness-raising efforts;
  • the U.S. administration should confirm its political commitment to the Ombudsperson mechanism by filling the position of the Ombudsperson with a permanent appointee as soon as possible; and
  • the U.S. authorities should, timely and comprehensively, report to the EC any developments that could be of relevance for the Privacy Shield.

WP29 on the first annual review
On 28 November 2017, the Article 29 Data Protection Working Party (WP29) also released its opinion on the first review of the Privacy Shield (Opinion). The WP29 recognises the efforts made by US authorities to set up a comprehensive procedural framework to facilitate the functioning of the Privacy Shield. However, the WP29 also identified a number of significant concerns with respect to both the commercial as well as national security aspects of the Privacy Shield framework and emphasized that these need to be addressed within given timeframes. Should these concerns not be remedied, the WP29 ensures that its members will take appropriate legal action, such as challenging the validity of the Privacy Shield in front of national courts with the objective for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.

2.2 Model Clauses

Brief recap
The EC has decided, on the basis of directive 95/46/EC, that certain standard contractual clauses offer sufficient safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals in relation to the exercise of corresponding rights (model clauses). Therefore, a company located within the EEA can transfer personal data to a company located outside of the EEA, if a data transfer agreement is in place between the two companies which incorporate the unmodified model clauses.

For the moment, three sets of standard contractual clauses are available: two for transfers from data controllers in the EEA to data controllers outside of the EEA, and one for transfers from data controllers in the EEA to data processors established outside of the EEA. Processor-to-processor model clauses were discussed, but never adopted.

Model clauses and transfers to the US
On 3 October 2017, the High Court of Ireland rendered a decision in The Data Protection Commissioner v. Facebook Ireland case, in which the High Court granted the request of the Irish Data Protection Commissioner for a reference to the CJEU for a ruling on the validity of the standard contractual clauses in relation to transfers of EU personal data to the US. The High Court is in the process of hearing the parties and determining the exact questions that it shall refer to the CJEU for a preliminary ruling.

If the CJEU decides to render the model clauses invalid, this could have a significant impact on companies that currently rely on this mechanism for transfers of personal data to the U.S.. We will therefore closely monitor this development, and will keep are readers fully informed.

Compliments of Loyens & Loeff –  a member of the EACC in New York