Legal Tech News Review Week 5 – 11 October 2020, by Eleni Kozari

CJEU rules on data retention by electronic communication providers for crime and national security purposes

Following its previous judgements on the cases Tele2 Sverige and Watson and Others, regarding the retention of and access to personal data in the context of electronic communications, the Court has ruled about the lawfulness of legislation adopted by the UK, France and Belgium in this regard.

Three cases were brought before the Court and in particular, Privacy International C-623/17 (UK), La Quadrature du Net and Others, Joined Cases C-511/18 and C-512/18 (France) and Ordre des barreaux francophones et germanophone and Others, C-520/18 (Belgium). All three cases concerned the national instruments of those Member States that required electronic communication providers to retain in general and indiscriminate, or grant public authorities access to, users’ traffic and location data.

As regards the applicability of ePrivacy Directive to national legislation, serving national security purposes, the Court clarified that any national instrument mandating electronic communication providers to retain or transmit traffic and location data to intelligence and national security authorities, falls within the Directive’s scope.

Τhe Court, principally, confirmed that national instruments requiring electronic communications providers to retain or transmit, in general and indiscriminate way, traffic data or location data for crime and national security purposes, do not conform with EU law. To this end, the CJEU clarified the situations and the circumstances, under which national provisions can stipulate certain derogations, provided that appropriate safeguards are put in place.

Thus, inter alia, in case of ‘genuine and present or foreseeable serious threat to national security’, Member States may require, by way of legislative measure, the general and indiscriminate retention of data relating to electronic communications, limited in time and to what is strictly necessary. Accordingly, in order to combat serious crimes and prevent serious threats to public security, Member States may provide for the targeted retention of such data and their expedited retention. In both cases, the respective decisions should be subject to effective review by a court or an independent administrative authority.

Finally, as regards national legislation providing for the real-time collection of traffic and location data by providers, the Court affirmed its legality as long as the collection is limited to persons against which there are valid reasons to suspect their involvement in terrorist activities. Prior review of a court or an independent administrative authority is mandated as well.

See more here


EDPS’ update on the state of Biometrics


In the light of the increasing processing of biometric data by numerous devices and systems, deployed both by private and public entities, the European Data Protection Supervisor provided an update as regards the state of Biometrics within the EU.

To date, biometric data is being collected and processed in many and different contexts. Mobile devices collect fingerprints and face images for user authentication purposes while IoT devices (such as smart watches) process data about the users’ health condition and sleeping habits. On the other hand, video surveillance systems deploying facial recognition technology, can identify and classify individuals by scanning and processing their face and full body images. Such technologies are in surge due to the COVID-19 pandemic. Hence, sensor-based cameras measure the temperature of individuals in order to identify those affected by the virus.

According to the EDPS, all the foregoing are a few examples of the current processing of biometrics within the EU and concern EU institutions, bodies and agencies as well. In particular, the EDPS referred to the already established and under operation EU large IT systems processing biometric and deployed in the context of asylum, migration and external-borders (Visa Information System (VIS), Schengen Information System (SIS II) and EURODAC).

In addition, the EU will launch three additional large IT systems, the two of which will process biometrics as well (the Entry-Exit System (EES) and the European Criminal Records Information System for Third-Country Nationals (ECRIS-TCN).

However, the Supervisor reiterated certain fundamental considerations that should be assessed before the processing of biometric data by any such technology. First and foremost, the processing of biometric data, constituting special category of personal data, is prohibited in principle and only under certain conditions can be considered lawful. This enhanced protection is afforded both under GDPR as well as the Council of Europe’s Modernised Convention 108+.

Furthermore, the lack of capability to amend our physiological traits along with the increased use of biometric data, trigger significant security concerns. To this end, the EDPS highlights biometric system designers’ responsibility to embed appropriate security safeguards already from the design phase.

Finally, the Supervisor stressed the need to evaluate each processing of biometric data on its merits, assessing first how necessary and proportionate it actually is. Accordingly, adherence to purpose limitation and data minimization principles is mandated while in order to build public trust over biometric data technologies, transparency regarding their use is crucial.

See more here


ICO found no data misuse by Cambridge Analytica with respect to Brexit Referendum


After a three-year investigation into the collapsed company, Cambridge Analytica, the ICO announced that the company did not directly misuse data in order to influence the Brexit Referendum.

The company drew major publicity over its controversial practices of data targeting in politics and collapsed in 2018. Its founder has been disqualified from acting as the company director for ‘offering potentially unethical services to potential clients’.

After investigating 42 computers, 700 terabytes of data and analysing more than 300,000 documents, the Information Commissioner’s Office announced that found no evidence that Cambridge Analytica was actively involved in the EU referendum campaign. The ICO, also, stated that it did not find any evidence that the company facilitated Russian intervention in the UK political process.

On the other hand, though, the ICO underlined that the company’s data protection practices fell short in terms of effective security measures. In addition, the Commissioner highlighted that the case reiterated broader concerns regarding the influence of technology service providers in political affairs and democratic systems in general.

See more here


German lawsuit against Amazon for alleged unlawful data transfers

The US-based company faces a German lawsuit, to be filed in Munich, for allegations that it continues to use Privacy-Shield as a data transfer mechanism. The latter has been invalidated by the CJEU in the Schrems II case, on July of 2020.

According to the CJEU’s ruling in the foregoing case, data transfers based on the Privacy Shield are no longer permitted. Following the decision, other US-based companies, are deploying another data transfer mechanism, that of Standard Contractual Clauses (SCC). The validity of the latter was upheld by the Court in Schrems II ruling. However, even for SCCs, certain alterations may need to be put in place by data exporters/importers, triggering further assessments by the national competent data protection authorities.

Beyond the alleged unlawful data transfers by Amazon, the lawsuit also contends that the company failed to properly inform the complainant about the personal data it holds for him and the purposes of such processing.


See more here