Menu Close

Key considerations for the EU Data Governance Act

In this week’s issue of In Perspective, Samad Miah, Data Protection Consultant at Xcina Consulting, looks at the key takeaways from the EU’s proposed Data Governance Act and what it might mean for data protection practitioners.  The French Data Protection Authority reaches a decision relating to Google Analytics and new draft guidance issued by the Information Commissioner’s Office in the UK relating to pseudonymisation.

Learn the details of these and other key emerging themes as events unfold. Follow our round-up of latest stories and find out what the latest developments mean for you.  Our weekly review below helps you decide.

Key things to consider in the European Union’s new Data Governance Act

What happened

  • In March 2022, the EU Data Governance Act will be finalised with the intention for it to come into force in summer 2023.

  • The Data Governance Act applies to data in general, not just data relating to and identifying individuals (i.e. personal data).

  • Therefore it covers any digital representation of acts, facts or information.

  • The EU Data Governance Act is the first of the EU’s planned new initiatives on data with proposals currently being drafted or deliberated relating to Digital Services and Artificial Intelligence.

Why it matters

  • The Act encourages great re-use of public sector data by utilising secure data environments and anonymisation techniques.

  • The Act established a licensing regime for ‘data intermediaries’. These are organisations that set up commercial arrangements between data holders and data users but do not add extra value to the data themselves. Data intermediaries will (e.g. consent management platforms) will have to meet certain license conditions to ensure their independence such restricting the re-use of data and metadata.

  • Additionally, the new Act promotes the access and use of data for scientific research.

  • Lastly, the Act sets a number of restrictions to transfers of non-personal data to third countries.

French data protection regulator issues decision on the use of Google Analytics

What happened

  • Following the a number of complaints filed by the non-profit organisation ‘NOYB’ the French Data Protection Regulator (the CNIL) has indicated that the transfer of personal data to the USA through Google Analytics is illegal.

  • This follows several similar decisions and statements issued by the Austrian, Dutch and Danish data protection regulators as well as the European Data Protection Supervisor.

Why it matters

  • Since the invalidity of the Privacy Shield, and in the absence of an adequacy decision, transfers to the USA are not sufficiently regulated and do not offer a sufficient level of protection.

  • Google Analytics uses a unique identifier attributed to website visitors, which is considered personal data (and not anonymous).

  • Even though Google may have adopted additional measures to secure the transfer of their personal data to the USA, the CNIL has stated that these would not be sufficient to prevent access to this data by American intelligence services.

ICO publishes draft guidance on pseudonymisation

What happened

  • The data protection regulator (the ICO) in the UK has published new guidance on pseudonymisation.

  • This guidance form part of a larger consultation that the ICO has initiated covering anonymisation and privacy-enhancing technologies.

Why it matters

  • The new guidance covers topics such as the definition of pseudonymisation, what it means in practice and its benefits.

  • The guidance states that the status of data can change depending on who holds it. For example, pseudonymous data which you can still identify using a key or other separate identifiers might no longer be identifiable in the hands of a different organisation who does not have access to that key.

 

Stay in control of your inbox

Register your details to receive our featured insights,
news and analysis covered ‘In Perspective’ from our
Data Protection team.

Stay up to date and discover how the requirements impact your business. 

 

 

Samad Miah

Data Protection Consultant

Speak to me directly by Email, or
Telephone:+44 (0)20 3745 7843 

 

Samad has a strong track record in data protection, both as an industry practitioner and as a consultant, helping organisations successfully address their obligations towards the Information Commissioner’s Office and other regulatory bodies.

To discuss how the above or other data protection requirements impact your business, feel free to get in touch with our team. We provide our clients with pragmatic advice and support to help them achieve a robust and defensible position.

In this week’s issue of In Perspective, Samad Miah, Data Protection Consultant at Xcina Consulting, looks at recent cases in Europe relating to the lawfulness of processing, a decision by the Belgian Data Protection Authority relating to the Transparency and Consent Framework used by much of the advertising industry in the EU and findings from an audit completed by the UK’s Information Commissioner’s Office on Greater Manchester Police.

Learn the details of these and other key emerging themes as events unfold. Follow our round-up of latest stories and find out what the latest developments mean for you.  Our weekly review below helps you decide.

What happened

  • IAB Europe was fined €250,000 by the Belgian Data Protection Authority (DPA). It found that its Transparency and Consent Framework (TCF), which is widely used in the advertising industry in the EU, does not comply with the EU GDPR.

  • The DPA found that by processing data under the TCF, which facilitates the management of users’ preferences for online advertising, IAB Europe acts as a data controller and is liable for potential violations of the GDPR.

  • In addition, IAB Europe was found to lack a legal basis for processing and failed to appoint a data protection officer, conduct a data protection impact assessment, or maintain a register of processing activities.

Why it matters

  • IAB Europe has also been ordered to permanently delete personal data already recorded in the TCF system from all its IT systems, files, and data carriers, as well as from those of processors contracted by IAB Europe.

  • IAB Europe rejects the Belgian DPA’s finding that it is a data controller in the context of TCF, noting that it is wrong in law and will have major negative consequences far beyond the digital advertising industry.

  • In addition to considering all options for a legal challenge, the organisation anticipates working with the authority on an action plan going forward.

What happened

  • A data subject in Austria gave their phone number to a data controller, Austrian Post Plc, and stated that they did not wish for it to be shared with a third party.

  • However, the data subject was later contacted by a market research institute on two occasions. The market research institute was acting as a data processor on behalf of the data controller.

  • In a complaint filed with the Austrian Data Protection Authority, the data subject argued that the transfer of his data (name and phone number) to the processor was illegitimate because they had already refused consent for any form of data sharing.

  • The Austrian Data Protection Authority dismissed the complaint.

Why it matters

  • The Federal Administrative Court in Austria upheld the decision of the Austrian Data Protection Authority.

  • According to the court, the processor is to be regarded as an extension of the controller.

  • The controller is therefore free to assign a processor to the processing of data if it is in compliance with Article 6 of the EU GDPR.

  • As a result, the transmission of data from the controller to the processor itself does not need to be justified under Article 6 of the EU GDPR

What happened

  • Coolblue is a company that sells electronic products. The data subject in this case was employed at Coolblue between 2017 and 2020. During that time, and with data the subject’s permission, Coolblue took photographs of the data subject in the context of promotion and marketing. Pictures of the data subject were displayed on Coolblue vans and the company’s YouTube channel.

  • After the termination of their contract with Coolblue, the data subject claimed that the business should have requested for the their consent for the use of the promotional material, since it contained their personal data.

  • According to the data subject, Coolblue had no legal basis to process their personal data, since their data subject revoked their consent pursuant to Article 7(3) EU GDPR.

Why it matters

  • The Rotterdam Court of First Instance considered that Coolblue could process a data subject’s personal data pursuant to Article 6(1)(f) EU GDPR, because their legitimate interest overrides the fundamental rights and freedoms of the data subject.

  • The Court stated that although Coolblue could not rely on the data subject’s consent, it could rely on Article 6(1)(f) GDPR.

  • The Court noted that Coolblue had a commercial interest, that this interest is legitimate, and that the costs for Coolblue would be unreasonably high, and the impact on their business significant, if the photograph of the data subject could no longer be used.

One more thing…

The Information Commissioner’s Office in the UK has published its audit report of the Greater Manchester Police. The summary of its findings can be found here. Key takeaways include the need for the organisation to improve its compliance in training and awareness, information security and governance and accountability.

 

Stay in control of your inbox

Register your details to receive our featured insights,
news and analysis covered ‘In Perspective’ from our
Data Protection team.

Stay up to date and discover how the requirements impact your business. 

 

 

Samad Miah

Data Protection Consultant

Speak to me directly by Email, or
Telephone:+44 (0)20 3745 7843 

 

Samad has a strong track record in data protection, both as an industry practitioner and as a consultant, helping organisations successfully address their obligations towards the Information Commissioner’s Office and other regulatory bodies.

To discuss how the above or other data protection requirements impact your business, feel free to get in touch with our team. We provide our clients with pragmatic advice and support to help them achieve a robust and defensible position.