Click to open contact form.
Your Global Partners in the Business of Innovation

GDPR Updates: New Guidelines, Code of Practice, Regulatory Decision and CJEU Judgment

General / Jul 31, 2019

Article by Dotan Hammer

Guidelines on Video Devices. The European Data Protection Board (EDPB) has issued draft guidelines for public comment on the data protection issues arising from the use of video devices and video surveillance. The guidelines explain that controllers operating video systems must establish the legal ground for video processing, the most likely ground being a compelling legitimate interest of the controller, which overrides the interests, rights and freedoms of the data subjects, or for the establishment, exercise or defense of legal claims. As such, a real-life situation of distress needs to be at hand – such as damages or serious incidents in the past – to legitimize the use of video surveillance. The draft guidelines also indicate that the use of video devices must be adequate, relevant, proportional and limited to what is necessary in relation to the purposes for which they are used, consistent with the data minimization principle and the countervailing interests of data subjects. For this reason, a short retention period of one to three days is usually required, according to the draft guidelines.

The use of video systems with biometric recognition functionality by private organizations for their own purposes (e.g., marketing, statistics or security) in most cases requires the prior, explicit, specific, freely given and withdrawable consent of data subjects, because this processing is considered ‘special categories of data’ subject the special arrangements in Article 9 of the GDPR. The use of video systems with biometric recognition functionality also require special attention to the data minimization principle.

The draft guidelines emphasize that the use of video systems requires controllers to give data subjects the rights afforded to them under the GDPR, such as the right to access a copy of the footage (if the controller is able to search and identify the data subject in the footage) and the right to erasure in certain cases. Controllers must also inform data subjects of the use of video systems, using a dual system of warning signs to provide basic information and other means (e.g., link to an online webpage) to provide more detailed information.

CLICK HERE to read the EDPB’s draft guidelines on processing personal data through video devices.

Guidelines on Cookies. The United Kingdom’s privacy regulator – the Information Commissioner’s Office (ICO) – has published guidance on websites’ use of cookies. The guidelines urge websites to conduct an audit of the types of cookie they use, provide users clear information about the cookies used on the website, and obtain their prior, express, specific, freely given and withdrawable consent to most types of cookies, including advertising cookies and analytics cookies. The guidance emphasizes that some types of cookies, however, are likely to be exempt from the consent requirement, such as data security-related cookies, user-authentication cookies, content streaming cookies and user-preference cookies.

The French privacy regulator – CNIL – also published guidelines on the use of cookies by websites, which largely and concisely echo the key points of the ICO’s guidance. Contrary to the ICO’s guidance, the CNIL’s guidance also addresses cookies used to measure website audience or test different versions to optimize editorial choices on website content. These cookies may be exempt from the requirement for prior, express, specific, freely given and withdrawable consent of the user, if they meet certain conditions. These conditions include the cookies being “first party” cookies (rather than “third party” cookies), giving users an opt-out choice, collecting IP address not more geo-precise than the size of a city and the configuring the cookie’s duration to be no more than 13 months.

CLICK HERE to read the UK ICO’s guidance on cookies; CLICK HERE to read the French CNIL’s guidance on cookies (in French).

Decision on the Right to be Forgotten. The Italian data protection authority issued a decision requiring Google to comply with a data subject’s request to have a webpage referencing him delisted from Google’s search result, where the webpage appeared not as a result of searching the individual’s name, but rather when a search keyword merely references the position of the president of a given company and the individual holds that position.

The webpage in question was an outdated news item concerning an indictment ten years earlier, from which the individual was later acquitted. The individual alleged that the outdated news item’s listing in the search results inflicted a grave and irreparable damage to his reputation. Google refused to delist the item, arguing that the right to be forgotten does not extend to search keywords that do not include the name and surname of an individual.

The Italian regulator ordered Google to delist the search result, having concluded that the webpage that referenced the president of that particular company unequivocally referred to the complainant who has been holding that position for years. This rendered the webpage identifiable “personal data” subject to the right to be forgotten, according to the Italian privacy regulator.

CLICK HERE to read the Italian privacy regulator’s statement announcing the decision (in Italian).

Data Sharing Code of Practice. The United Kingdom’s privacy regulator – the Information Commissioner’s Office (ICO) – has published a draft code of practice on data sharing for public consultation. It is a statutory code of practice providing practical guidance on how to share data fairly and lawfully under the GDPR. The code discusses the data protection issues associated with sharing personal data between organizations which are controllers. It repackages the GDPR’s overall requirements into a guidance document. It discusses an organization’s decision to share personal data, the practice of having a data sharing agreement, the lawful basis required for data sharing, fairness and transparency to data subjects, rights of data subjects and data security. It offers data sharing checklists, requests and decision forms and discusses specific use cases, such as data sharing following mergers and acquisitions.

CLICK HERE to read the UK ICO’s draft Code of Practice on data sharing.

Court Judgment on websites’ use of a Facebook “Like” button. The Court of Justice of the European Union has handed down a judgment holding that a website operator that features a Facebook ‘Like’ button can be a joint controller with Facebook in respect of the collection and transmission to Facebook of the personal data of visitors to its website, because both the operator and Facebook jointly determine the purposes and means of that collection and transmission.

As such, the website operator must provide users, at the time data is collected from them on the basis of the ‘Like’ button, certain information such as its identity and the purposes of the processing. It must also base that processing on a recognized legal basis: either user consent or the pursuit of a legitimate interest of the website operator.

The judgment clarifies that the website operator is not a controller in respect of the subsequent processing of that data carried out by Facebook alone, because it does not determine the purposes and means of that processing by Facebook. Although the judgment is based on the Data Protection Directive that preceded the GDPR, it is similarly applicable under the GDPR.

CLICK HERE to read the CJEU’s judgment in the matter of Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV.

This article was published in the Internet, Cyber and Copyright Group’s July 2019 Newsletter.

For more information, please contact Haim Ravia – Senior Partner and Chair of the Internet, Cyber and Copyright Group.