Draft EU Council Resolution on Encryption
On 6th November, 2020 the EU Council submitted a draft Resolution ‘Draft Council Resolution on Encryption- Security through encryption and security despite encryption’. The Resolution constitutes a political statement of intent and has been circulated within the Council’s working teams. It will finally be adopted in December.
At first, the Resolution reiterates the mandate for deploying sound encryption in communications as a means of protection of security, privacy, personal data and other fundamental rights on EU level. On today’s digital world, encryption is necessary both for private and public security, benefiting inter alia governments, critical infrastructures and industry.
On the other hand, though, the draft Resolution underlines that digitalisation and cyberspace may trigger cyber-enabled crimes by giving rise to side-vulnerabilities that facilitate the exploitation for criminal purposes. To this end, access to electronic data by competent authorities is necessary in order to carry out investigations, prosecute criminals but also protect victims. However, according to the draft resolution, encryption may in certain instances render competent authorities incapable of accessing and/or analysing the content of encrypted communications data.
Hence, the Resolution advocates for striking a better balance between the protection of privacy and security through encryption on one hand and the preserving authorities’ competence to lawfully access encrypted communications data in the context of security and criminal justice on the other. In particular, the Resolution recommends the development of a consistent EU regulatory framework that would permit competent authorities to lawfully access encrypted data for legitimate and clearly defined purposes (i.e. fighting serious crimes, organised crimes and terrorism), through appropriate technological solutions which would be subject to proportionality, necessity and (national) judicial oversight requirements. At the same time, the protection of fundamental rights and preservation of encryption’s benefits should be ensured.
EU Commission’s draft implementing decision on SCCs
On 12th of November, the European Commission published its draft implementing decision on standard contractual clauses (SCCs) regarding data transfers to third countries. The draft is open to feedback for four weeks, until 10 December 2020.
With its entry into force, Decision 2001/497/EC and Decision 2010/87/EU, setting the standard contractual clauses for data transfers to third countries under Directive 95/46/EU, will be repealed. However, there is a transitional period of one year after the decision’s entry into force, during which data exporters and importers may continue to rely on the SCCs, as set at the foregoing decisions, in case of (unchanged) contracts that were concluded prior to that date (Art.6).
In addition, competent authorities of Member States are mandated to inform the Commission in case data importers is subject to national legislation that prevent them from complying with the SCCs, leading to the suspension or ban of data transfers to the third country in question (Art.3).
The Standard Contractual Clauses are articulated in the Annex of the draft decision and are split into Section I, Section II-obligations of the parties, Section III- final provisions. Τhey also include four modules, covering data transfers between controllers, between controller to processor and vice-versa, as well as between processors.
See more here
Draft Opinion of EU Parliament’s Committee on the European Data Strategy
On 9th November, 2020 the Committee on Civil Liberties, Justice and Home Affairs (LIBE) issued a draft opinion on the European Data Strategy. Within its opinion, LIBE sets propositions to be taken into consideration by the competent Committee (i.e. Committee on Industry, Research and Energy), which shall in turn, include them into its motion for a resolution.
LIBE reiterates that absolute respect to EU citizens’ fundamental rights should be ensured, with particular focus on the right to privacy and data protection. Those rights should be safeguarded and constitute the basis of the European Data Strategy. Accordingly, the EU Union ‘acquis’ should be preserved in every data processing activity, including data transfers which should be performed in compliance with the GDPR and the LED Directive.
As regards data processing in the context of law enforcement and public administration data spaces, LIBE underlines that the principle of proportionality and the EU law should be fully respected. In parallel, the Committee calls for a clear delineation between personal and non-personal data, in particular in the context of IoT. To this end, LIBE recommends that inextricably linked types of data should be considered personal data.
Finally, the Committee advocates for the adoption of practical security measures, such as the imposition of cyber certification-related requirements, in order to address data breaches.
See more here
CJEU reiterates that pre-ticked boxes do not constitute a ‘valid consent’
With its judgement in case C-61/19, the Court of Justice of the European Union (CJEU) clarified the conditions for controllers to obtain a valid consent via consent boxes that refer to contractual clauses. The Court reiterated that pre-ticked boxes (i.e. ticked by the controller instead the data subject), cannot demonstrate a lawfully obtained valid consent.
The case concerns the practices of a Romanian mobile telecommunications provider (Orange Romania SA) in obtaining users’ consent for the collection and storage of copies of their identity documents for identification purposes. According to the Romanian Data Protection Authority (ANSPDCP), the telecom provider had concluded contracts with the users, which contained a clause stating that the latter had been informed of and consented to the foregoing data processing. However, the consent box (referring to this clause) had been ticked by the provider prior to the conclusion of the contracts in question.
The Regional Court of Bucharest referred to the CJEU, seeking clarification on the conditions for obtaining valid consent. The Court reiterated that pre-ticked boxes, silence or inactivity of users do not fulfil the requirements of a freely given, specific, informed and unambiguous consent (valid). Accordingly, a contractual clause stating that the data subject has been informed of and consented to the data processing activity cannot demonstrate a valid consent when the latter has been obtained via pre-ticked boxes.
In addition, the Court underlined that in case the data subjects’ consent is obtained in the context of a written declaration that may concern other matters too, then it must be provided in an intelligible and easily accessible manner through the use of clear language.
Finally, the CJEU clarified that in order controllers ensure that users are provided with genuine freedom over consent, contractual terms should not mislead the latter as to the conclusion of the contract in case they refuse to consent.
See more here