Data Protection and Privacy Update – January 2018

This month brought the following interesting data protection developments:

  • Update home market: The Netherlands, Belgium, Luxembourg and Switzerland
  • Update on the draft e-Privacy Regulation

1. Update home market 

Please find a brief summary of the relevant developments in all our four home markets these being The Netherlands, Belgium, Luxembourg and Switzerland.

1.1. Netherlands

New directors for the Dutch Data Protection Authority

As per January 1, 2018, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) appointed four new directors as part of their efforts to prepare for the entry into force of the General Data Protection Regulation (GDPR), which will take place on May 25 2018. As per this date, the AP will have additional tasks and commands, for instance the task of handling complaints from citizens, as well as maintaining collaboration on a European level.

AP advices on the draft implementation decree Payment Services Directive
The AP published its opinion on the draft implementation decree regarding the Payment Services Directive (PSD2). The PSD2 aims to harmonize mobile and internet payment facilities, and to strengthen consumers rights, throughout the EU. In its opinion, the AP stated that the draft implementation decree PSD2 does not sufficiently take into account the GDPR, and that it therefore requires to be revised. For instance, the AP strongly advises that all processing of personal data fall within the scope of the authority of the AP, and not that certain processing fall under the scope of the DNB (De Nederlandsche Bank), as the draft currently suggests.

The full advice can be read here (only available in Dutch).

Retrieval of mobile phone data upheld by District Court of The Hague
In a recent ruling, the District Court of The Hague affirmed that the retrieval of mobile phone data by the Netherlands Authority for Consumers and Markets (ACM) is permissible, even if the collected data includes data that are not business related.

The affected company requested an injunction to preclude the use of the data collected from the mobile phones on, inter alia, the ground that the mobile phones were also used for private purposes. Therefore, collecting all the data from the mobile phones would violate the right to respect for private life under the European Convention on Human Rights (Article 8). The District Court found that the ACM's practices with respect to dawn raid seizures of digital data provide adequate safeguards to preclude inappropriate access to digital data by the ACM. Thus, parties cannot challenge the seizure of digital data solely on the ground that it might comprise data of a non-business nature.

The full ruling can be read here (only available in Dutch).

1.2. Belgium

Act reforming the Belgian Privacy commission 
The act reforming the Belgian Privacy commission was published on 10 January in the Official Gazette. For more background please check Out with the old, in with the new: Belgian Privacy Commission becomes “Belgian Data Protection Authority”. The law will be effective as of 25 May 2018.

Proposal camera law
A proposal for a new camera law is currently pending in Parliament (introduced 4/1/2018). The objective is to revise the legal framework on the use of surveillance cameras. Police use of surveillance cameras will be governed by the existing law on the police function and no longer by the camera act. The law also intends to align the camera act with GDPR.

1.3. Luxembourg

Conference on the citizens’ rights and the changes made by the GDPR
On 30 January 2018, the Luxembourg data protection commission (Commission nationale pour la protection des données, CNPD), and the Association for the data protection in Luxembourg (Association pour la protection des données au Luxembourg, APDL) will organize a conference on the citizens’ rights and the changes made by the GDPR. This conference will be followed by a round table on the following subject: "The personal data protection, available to everyone?". We will keep you updated on the relevant outcome of this conference.

Launch of compliance support tool for new general data protection scheme
The CNPD, with support from Digital Luxembourg and in conjunction with the Luxembourg Institute of Science and Technology (LIST), has developed a “GDPR Compliance Support Tool”. The purpose of this tool is to offer users an innovative and intuitive solution for ascertaining the level of maturity of their organizations with regard to data protection. The tool will enable users not only to manage a processing register, and all the other documents required to demonstrate their responsibility, but also to monitor the evolution of the level of maturity of their organizations. You can find more information about this tool here.

CNPD advice on the Luxembourg draft bill implementing the GDPR
On 28 December 2017, the CNPD published its advice with respect to the Luxembourg draft bill n°7184 relating to the creation of the CNPD and the implementation of the GDPR.

1.4. Switzerland

The Political Institutions Committees of the Swiss National Council decided on 11 January 2018 to split the revision project of the Swiss Act on Data Protection and other related regulations into two steps: The parliament will firstly debate on the part of the revision which is necessary in order to be compliant with the GDPR, and in the second stage, it will considers the total revision of the law. The reason for this split is to avoid unnecessary time pressure for items which are not needed in order to be compliant with the new European regulation. As a result of this decision, we expect a prolongation of the revision process. We will of course keep you up to date on this issue. We will also be hosting GDPR and DPA Masterclasses in our Zurich office. For more information regarding these Masterclasses, click here.

2. Update on the draft e-Privacy Regulation: still a long way to go?

On 10 January 2017, the European Commission (EC) issued its proposal for a Regulation on Privacy and Electronic Communications, with the aim to replace the current e-Privacy Directive (for more information, see our Data Protection Alert on the e-Privacy draft regulation). After months of intensive debate, the European Parliament finally adopted its amendments to the draft e-Privacy Regulation, while the Council recently released a consolidated version of the e-Privacy Regulation, summarising the work it has done so far as a basis for future work.

The current revised versions of the Regulation of the European Parliament (see here) and the Council (see here) specify, and sometimes depart, from the EC’s proposal, while strengthening the rules on the protection of electronic communications data. Provisions drawing the most attention relate to (1) the broader scope of application of the Regulation, (2) changes in cookies rules, and (3) stronger direct marketing rules.

Broader scope of application
The EC's proposal (Proposal) extended the scope of the e-Privacy rules to new forms of electronic communication services in order to provide users with the same level of protection, irrespective of the communication service they use. While current e-Privacy legislation only applies to traditional mobile and fixed-line communication services, the Proposal also covers instant messaging, VoIP and web-based e-mail. In order to make sure that the Regulation covers all new channels and forms of electronic communication services, the current proposed amendments (Amendments) explicitly include machine-to-machine communications (Internet of Things). This approach was also endorsed by the WP29 in its opinion.

Furthermore, the Amendments also specify that the principle of confidentiality of electronic communications applies to both data in transit, and data stored on a device or in the cloud. They further detail the specific circumstances and conditions allowing a lawful interference with the right to confidentiality of electronic communications.

Changes in cookies rules: by default browser settings and “Do-Not-Track mechanisms”
The Amendments add that browser settings should disable cookies by default. Such configuration will allow to prevent other parties from storing information on the device or processing information stored on the device without the consent of the user. This is in line with the privacy by design approach implemented in the GDPR. In addition, the Amendments also extend the periodic intervals at which users are given the opportunity to withdraw or confirm their consent from 6 to 12 months.

Finally, both the European Parliament and the Council agree on the necessity to implement by default “Do-Not-Track” mechanisms in browser settings. This implies that browser settings should allow users to give sufficient granular options as to the categories of consent.

Stronger direct marketing rules
In line with the GDPR, the Proposal expressly stated that a valid “opt-in” consent must be obtained from the user in order to send unsolicited electronic communications such as e-mails, push notifications or SMS. This requirement does not apply in case of electronic marketing to existing customers regarding the company’s own similar products or services, provided that the customers are given opportunity to withdraw their consent at any time for each marketing communication. The Amendments clarify that such withdrawal right must be available free of charge.

The Proposal also introduced a system of mandatory caller-line identification for marketing calls, allowing users to identify the person/company calling them. While the Amendments specify that the use of false identities is of course prohibited, they add that marketing firms will have to comply with “Do-Not-Call” registers. Such registers allow individuals to “opt-out” for all direct marketing calls.

Next steps?
As the current amendments clearly tend to focus on the user’s prior consent as primary ground for processing, the EU bodies are now debating whether additional grounds, such as the legitimate interest  (as stated in the GDPR), could also be taken into account for processing electronic communications data. The Council has already pointed out other grounds for processing, such as the compliance with a legal obligation or scientific research and statistical purposes.

Despite what was initially scheduled, it seems unrealistic to expect a final version of the Regulation by 25 May 2018, date on which the GDPR will become applicable. As per usual, we will follow this matter closely, and will keep you up to date.