Empty Link Skip to Content

Data Protection and Privacy

Data Protection, privacy and technology developments continued to dominate the headlines last year. In this briefing, we consider some of the most noteworthy developments of which organisations should be aware, and look at what is coming down the tracks in 2023.

The importance of fair, transparent and lawful processing has been in the spotlight as the Irish Data Protection Commission ("DPC") recently imposed three significant fines on a leading technology company for unlawful reliance on contractual necessity as a lawful basis for certain processing activities. International transfers continues to be a hot topic, as the EU Parliament, EDPB and a Committee of EU Member States review the draft EU-US Data Privacy Framework ("DPF").

In addition, the extent and scope of the right to compensation for non-material damage under Article 82 GDPR has been subject to scrutiny as a number of national court decisions concerning this matter are filtering up to the Court of Justice of the European Union ("CJEU"). All of these matters are considered in more detail in this commentary.

We also consider the CJEU decision in the case of X-Fab (Case C-453/21) which provides guidance on how to determine whether a conflict of interest could arise for an organisation's Data Protection Officer. In addition, the European Data Protection Board ("EDPB") has finalised a number of Guidelines to assist organisations to comply with their GDPR obligations including, amongst others, Guidelines on what constitutes an international transfer of data under Chapter V GDPR, and Guidelines on deceptive design patterns in social media platform interfaces.

Legislation surrounding data protection, privacy and technology continues to develop at a rapid pace.  These technologies and developments present new challenges for companies and consumers alike. As a result, 2023 will undoubtedly be an exciting and busy year for all.

Key Themes in Data Protection and Technology

DPC Enforcement Activity - Fair, Transparent, and Lawful Processing in the Spotlight

2022 was another record year for GDPR fines across Europe. It is estimated that European Data Protection Authorities ('DPAs') imposed approximately €1.64 billion in fines last year, a 50% increase over the prior year. Ad-tech and behavioural advertising were a top enforcement priority in 2022. Other infringements in relation to violations concerning the processing of children's data, the failure to meet privacy by design requirements and the failure to implement appropriate security mechanisms also caught regulators' attention.

There is also a noticeable rise in willingness on the part of supervisory authorities to fine controllers who have been the subject of cybercrime where controllers did not have adequate security measures in place appropriate to the risk profile of the data processed. This trend arose particularly where special category data such as employment and health data were impacted.

2023 started with the DPC imposing a number of significant fines. In particular, the DPC fined Meta €210 million, Instagram €180 million, and WhatsApp €5.5 million in relation to breach of the transparency obligation, and for unlawfully relying on contractual necessity as a lawful basis for processing personal data for behavioural advertising purposes and for security and service improvements. The fines serve as a reminder of the importance of providing data subjects with clear and granular information in Privacy Notices about what personal data is being processed for each processing activity, the purpose(s) of such processing, and the lawful bases relied upon for the processing. In addition, more careful consideration must be given to the most appropriate lawful basis to rely on for the processing activity at hand. Typically the practice has been to avoid relying on consent as a lawful basis, due to the high threshold that must be reached to obtain valid consent and the right of data subjects to withdraw consent at any time. However, it seems that consent and legitimate interests are likely to be relied on more frequently in the future to legitimise data processing activities, as it is clear that the contractual necessity and legal obligation lawful bases can only be relied upon in narrow circumstances. 

Resources:

Key Developments in Data Protection and Privacy 

Compensation Claims

Article 82 of the GDPR, along with the Data Protection Act 2018, allows data subjects or non-profit organisations mandated to act on their behalf, to take compensation claims for material or non-material loss suffered as a result of a breach of the GDPR. However, uncertainty prevails as to the scope of the right to compensation for non-material damage. 

On 6 October 2022, the Advocate General at the CJEU issued an Opinion in the Österreichische Post AG case (Case C-300/21) that a mere violation of the GDPR is not sufficient to recover compensation. Proof of material or non-material damage must be also provided by  the claimant. In addition, compensation for non-material damage does not cover mere upset which the person concerned may feel as a result of a violation of the GDPR. If the CJEU follows this opinion, it would be welcome news for companies, as it would raise the bar for successful damages claims for non-material loss.

On 23 January 2023, the Irish Circuit Court, in the case of Cunniam v Parcel Connect Limited & Ors, granted a stay on proceedings brought by a data subject where only non-material damages have been alleged, pending six decisions awaited from the CJEU relating to non-material damage (including the CJEU's decision in the Österreichische Post AG case). The Court held that not granting the stay would substantially prejudice the defendants’ case, and would lead to the risk of an irreconcilable judgment being produced by the Court.

Data Protection Officers ("DPOs")

The CJEU decision in X-Fab (Case C-453/21) provides guidance on how to determine whether a conflict of interest arises in respect of the role of Data Protection Officer and when a DPO may be lawfully dismissed. In this case, an employee, who performed the role of DPO and also worked as council chair, was dismissed at the direction of the State DPA due to a potential conflict of interest between these roles. The employee claimed that the dismissal was void due to protective employment provisions under German law, and the German court referred the matter to the CJEU.

Article 38(6) GDPR acknowledges that a DPO may fulfil other tasks and duties, provided such other tasks and duties do not result in a conflict of interests.  The CJEU held that an assessment of whether a conflict of interests exists must be carried out on a case by case basis, in light of all the relevant circumstances, in particular the structure of the organisation. However, DPOs cannot be entrusted with tasks or duties which would result in them “determining the objectives and methods of processing personal data on the part of the controller or processor".

Article 38(3) of the GDPR further states “[a DPO] shall not be dismissed or penalised by the [organization] for performing his tasks”.  The CJEU held that member states, such as Germany, are free to lay down more protective provisions provided they do not undermine the GDPR’s objectives. However, a national law which prevents the dismissal of a DPO who is unable to carry out their role in an independent manner because of a conflict of interest would be incompatible with the GDPR.

The EDPB recently  announced that it has selected the designation and position of the DPO role as the focus for its next coordinated pan-EU enforcement action.  It would therefore be prudent for organisations to take steps to review their DPO function. It is natural for jobs and roles to evolve over time, so organisations which have appointed a DPO should take steps to ensure that their DPO is not also entrusted with tasks or duties which conflict with the performance of their DPO obligations.

International transfers

In January 2023, the DPC referred its draft decision in relation to the lawfulness of Meta's EU-US transfers to the European Data Protection Board ("EDPB") under the Article 65 dispute resolution process, after it was unable to resolve objections from other EU data protection authorities.  The dispute resolution procedure comes as the EU considers a draft adequacy decision for the Data Protection Framework ("DPF").

The DPF is expected to be finalised and adopted by Summer 2023, which will mark three years since the invalidation of its predecessor, the EU-US Privacy Shield. The DPF and accompanying US Executive Order aims to address the concerns raised by the European Court of Justice in Schrems II. In particular, they provide binding safeguards that limit access by US intelligence services to what it is necessary and proportionate to protect national security, and establishes an independent and impartial redress mechanism, including a new Data Protection Review Court. Although a finalised adequacy decision is expected later this year, many organisations may continue entering into the standard contractual clauses and conducting transfer impact assessments due to the likelihood of the DPF being further challenged by privacy advocates such as NOYB or others before the CJEU in the future.

Following public consultation, on 23 February 2023, the EDPB have also issued their finalised Guidelines 05/2021 on the interplay between Article 3 and Chapter V GDPR. The guidelines provide some welcome clarity in regard to what constitutes a 'transfer' requiring compliance with the international transfer rules set out in Chapter V of the GDPR.

Data Subject Access Requests ("DSARs")

Over the past year, the EDPB and DPC have each published guidelines on the right of access to help controllers understand the scope of their obligations under Article 15 GDPR (available here and here). Whilst these non-binding guidelines are informative, in many ways they raise the bar in regard to what is expected from controllers when responding to access requests. Two issues, in particular, are worth noting.

First, the draft EDPB guidelines reject any proportionality limit with regard to the efforts a controller has to expend on responding to a DSAR. This is surprising as to date there have been strong grounds to believe that a controller is only required to take reasonable and proportionate steps to search for personal data in line with the EU principle of proportionality. It remains to be seen if this approach will be endorsed in the finalised guidelines. In contrast, the DPC guidelines state that controllers are not obliged to conduct searches which go beyond what is reasonable in terms of time and money, taking into account the circumstances of the case. 

Second, both sets of guidelines indicate that  in order to meet the information requirements in Article 15(1) and (2) GDPR it is not sufficient for companies to provide a copy of, or link to, or extract of their privacy notice, when responding to access requests. Rather, organisations are required to update and tailor the information in the privacy notice to reflect the processing operations carried out with regard to the data subject making the request. A recent ruling from the CJEU ( Case C-151/21) supports this view. This will unfortunately make responding to access requests a more burdensome task for many organisations.

Further cases regarding the scope of the right of access under Article 15 GDPR are currently pending before the CJEU which should provide greater clarity on the scope of the right of access.

Resources:

Cookie Compliance

Cookie compliance continues to be an enforcement trend. In January 2023, the EDPB Cookie Banner Task Force published a report which provides some tips on how to comply with the cookie rules in the ePrivacy Directive. The Report was issued following complaints from NOYB, and investigations by EU DPAs in relation to certain companies' cookie banners and policies. In light of the report and continued enforcement of cookie rules by EU DPAs across Europe, it would be prudent for organisations to revisit their cookie practices to ensure they comply with the cookie rules and expectations of Regulators.

Deceptive Design Patterns in Social Media Platform Interfaces

The EDPB have published finalised Guidelines 03/2022 on deceptive design patterns in social media platform interfaces. The guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid deceptive design patterns that violate the GDPR. Deceptive design patterns are interfaces and user journeys implemented on social media platforms that attempt to influence users into making unintended, unwilling and potentially harmful decisions, regarding the processing of their personal data. The guidelines provide examples of deceptive design pattern types, present best practices for different use cases and contain specific recommendations for designers of user interfaces that aim to facilitate the effective implementation of the GDPR.

European Data Protection Board Agenda for 2023

The European Data Protection Board ("EDPB") recently published its 2023-2024 work programme. In particular, the EDPB intends to publish guidance on a list of topics, including: Legitimate Interest; Children’s Data; Processing of data for Medical and Scientific Research Purposes; Anonymisation and Pseudonymisation. The EDPB further indicated its intention to develop guidance on the interplay between the proposed EU Artificial Intelligence Act and the GDPR, along with updated guidance on the right of access, identifying lead supervisory authority and breach notification. Organisations should familiarise themselves with these guidelines once published, as they set out the expectations of EU DPAs, in regard to GDPR compliance requirements. 

The EDPB will also continue to prioritise effective enforcement and cooperation between European data protection authorities such as by supporting their work on cases of strategic importance. 

Separately, the European Commission has launched an initiative to improve and streamline cooperation between EU data protection authorities when enforcing the GDPR in cross-border cases. Little is known of the initiative so far, other than the fact that it aims to harmonise aspects of administrative procedure applied by national DPAs in cross-border cases. The initiative likely follows on from the EDPB's letter to the European Commission of 10 October 2022, which contained a list of procedural aspects that could benefit from further harmonisation at EU level. The list includes, amongst other issues, the status and rights of parties to administrative procedures; procedural deadlines; requirements for admissibility or dismissal of complaints; investigative powers of Supervisory Authorities; and the practical implementation of the cooperation procedure.

Recent Developments in the EU Digital Technology Space 

The European Commission has been making good progress with its Digital Single Market Strategy, which consists of a wide-ranging group of legislative initiatives aimed at adapting the European market to the digital age. EU regulation of digital services is intended to ensure better access for consumers and businesses to online goods and services across Europe, for example by removing barriers to cross-border e-commerce and improving access to online content while increasing consumer protection. It also aims to address concerns in relation to cybersecurity, data protection/e-privacy, and the fairness and transparency of online platforms.

The legislative proposals, once a promise for the future, are quickly becoming a reality. The Digital Markets Act, Digital Services Act, Data Governance Act and the NIS2 Directive have each been published in the Official Journal and entered into force in recent months.

2023 is likely to bring much more data regulation, as negotiations continue at EU level in respect of the proposed Data Act, Artificial Intelligence Act, Artificial Intelligence Liability Directive, Cyber Resilience Act, and ePrivacy Regulation. These legislative proposals will significantly affect companies operating in the technology sector and beyond. 

EU Digital Services Act: What Does it Mean For Online Platforms?

Oct 19, 2022, 14:01 PM
Title : EU Digital Services Act: What Does it Mean For Online Platforms?
Filter services i ds :
Engagement Time : 6
Insight Type : Article
Insight Date : Oct 19, 2022, 00:00 AM

The EU Digital Services Act ("DSA") is set to be signed by the Presidents of the European Parliament and Council on 19 October 2022. It will then be published in the official Journal, and will come into force 20 days after publication. The bulk of the DSA's provisions will apply 15 months after it enters into force (i.e. February 2024).

The DSA contains new rules to ensure greater accountability on how online intermediary service providers (who provide recipients with access to goods, services and content) moderate content, advertise, and use algorithmic processes. It gives practical effect to the principle that what is illegal offline, should be illegal online. The greater the size, the greater the responsibilities of intermediary service providers. In this article, we discuss what this ground-breaking new law means for such providers.

Why is the Digital Services Act so important?

The DSA (along with its sister legislation the ‘Digital Markets Act’ which we previously discussed here) has been lauded as “historic” by President of the European Commission, Ursula von der Leyen, and described as a “a world first in the field of digital regulation”. The importance of the DSA lies in the significant new obligations it heralds for online intermediary service providers, including social media platforms, online marketplaces, and app stores.

Who does the DSA apply to?

The DSA takes a layered approach to regulation. Whilst the most basic obligations under the DSA apply to all online intermediary service providers, additional obligations apply to providers in other categories, with the heaviest regulation applying to very large online platforms ("VLOPs") and very large online service engines ("VLOSEs"). To understand the full scope of their responsibilities and liabilities under the DSA, intermediary service providers will need to determine which category they belong to.

The four categories are:

(1) Intermediary service providers are online services which consist of either a "mere conduit" service, a "caching" service; or a "hosting" service. Examples include online search engines, wireless local area networks, cloud infrastructure services, or content delivery networks.

(2) Hosting services are intermediary service providers who store information at the request of the service user. Examples include cloud services and services enabling sharing information and content online, including file storage and sharing.

(3) Online Platforms are hosting services which also disseminate the information they store to the public at the user's request. Examples include social media platforms, message boards, app stores, online forums, metaverse platforms, online marketplaces and travel and accommodation platforms.

(4) (a) VLOPs are online platforms having more than 45 million active monthly users in the EU (representing 10% of the population of the EU).

(4) (b) VLOSEs are online search engines having more than 45 million active monthly users in the EU (representing 10% of the population of the EU).

What is the territorial scope of the DSA?

The DSA has extra-territorial scope. It applies to the above categories of intermediary service providers who are established in the EU, and also to those providers established outside of the EU that offer services to users in the EU. When not established in the EU, intermediary service providers will have to appoint a legal representative in the EU, as many companies already do as part of their obligations under other legislation. Notably, the designated legal representative can be held liable for non-compliance with obligations under the DSA, without prejudice to the liability of the provider of the respective intermediary services.

What new obligations does the DSA introduce for intermediary service providers?

We have set out below some of the key obligations applicable to intermediary service providers under the DSA, depending on which category they fall within (i.e. see categories 1-4 above). The obligations of providers are aimed at matching their role, size and impact in the online ecosystem.

Obligations applicable to all providers of intermediary services listed at Categories 1-4 above:

  • Transparency Reporting: Intermediary service providers must publish annual transparency reports on their content moderation activities, including the measures they take to apply and enforce their terms and conditions.  
  • Terms and Conditions: Intermediary service providers must have clear terms and conditions for their content moderation practices. They must also provide easily accessible information on the right to terminate the use of their services.
  • Official Orders: All intermediary service providers that receive an order to act against illegal content must inform the relevant supervisory authority of any follow up given to the order, specifying if and when they followed the order. The same obligation applies to orders to provide information.
  • Points of Contact & Legal Representative: Intermediary service providers must designate a single electronic point of contact for official communication with supervisory authorities in the EU. As noted above, non-EU based providers must also appoint an EU legal representative.

Obligations applicable to all intermediary service providers listed at Categories 2-4 above:

  • Notice & Action Mechanisms: Intermediary service providers must implement a notice and action mechanism for content that users consider illegal. Content targeting victims of cyber violence must be removed "immediately", and other content deemed illegal must be removed "swiftly". 
  • Statement of Reasons: Intermediary service providers must provide users with a statement of reasons whenever they delete or block access to their content for content moderation purposes. They must also provide such a statement when they restrict payments or suspend or terminate their own service or the user's account.
  • Reporting Criminal Offences: If intermediary service providers suspect any serious criminal offences they must notify national law enforcement or judicial authorities.

Obligations applicable to all intermediary service providers listed at Categories 3- 4 above:

  • Complaint & Redress Mechanism: Users will have new rights of redress, including a right to complain to the platform, seek out-of-court settlements, complain to their national authority in their own language, or seek compensation for any damage or loss suffered due to an infringement of the DSA. Representative organisations will also be able to defend user rights for large-scale breaches of the law.
  • Trusted Flaggers: Platforms must cooperate with designated 'trusted flaggers' to identify and remove illegal content. Illegal content is defined as including any information that in itself or in relation to an activity, is not in compliance with EU or Member State law. The recitals to the DSA provides some illustrative examples of illegal content, such as the sharing of images depicting child sexual abuse. 
  • Bans on Targeted Advertising to Children and based on special category data: Significant curtails on targeted advertising, including a ban on targeted advertising to children and those based on special categories of personal data, such as ethnicity; political views; sexual orientation; religion, or genetic or biometric data.
  • Advertising Transparency: There are also new obligations in regard to advertising transparency, including a requirement to include meaningful information on why a user was targeted with a particular advertisement.
  • Recommender Systems: Intermediary service providers that use recommender systems must set out in their terms and conditions the main parameters that determine how they suggest or prioritise information for users, as well as any options for users of the service to modify or influence those main parameters.
  • Protection of Minors: Intermediary service providers must put in place "appropriate and proportionate measures" to ensure a high level of privacy, safety, and security of minors, on their service.
  • Interface Design: A ban on so-called ‘Dark Patterns’. Dark Patterns are designs used to manipulate users into choices they do not intend to make, by exploiting some cognitive bias. The ban on Dark Patterns extends to targeted advertising nudging users to purchase certain goods, or in recommender systems (algorithms which determine the content presented to a user) which use human cognitive traits to present content to users that are more likely to keep a user on a platform as long as possible.
  • Traceability of Traders: If intermediary service providers enable consumers to conclude contracts with traders (e.g. on line marketplaces), they must ensure traceability of these traders by collecting and assessing the veracity of basic trader information. If the platform becomes aware of an illegal product or service offered by the trader, it must inform affected consumers.

Additional Obligations for VLOPs and VLOSEs at Category 4 above

The DSA introduces another layer of obligations specific to VLOPs and VLOSEs due to their systemic impact in facilitating public debate, economic transactions and the dissemination of information, opinions and ideas, including:

  • Annual Risk Assessments: An obligation to carry out annual risk assessments and put in place risk mitigation measures regarding any systemic risks, including the dissemination of illegal content and negative effects for fundamental rights.
  • Audits: VLOPs and VLOSEs will be subject to enhanced transparency obligations, including annual independent audits to assess their compliance with their obligations under the DSA, at their own expense.
  • Compliance function: Both VLOPs and VLOSEs must establish an independent compliance function within their organisations, which reports directly to the board and which is made up of suitably qualified professionals who are adequately trained.  This is analogous to the concept of a 'Data Protection Officer' under the GDPR.
  • Recommender systems: VLOPs must provide users with at least one option to choose a recommender system that is not based on profiling.
  • Data access & scrutiny: VLOPs and VLOSEs must provide regulators with access to any data that is necessary for the purpose of assessing their compliance with the DSA. Upon request from the competent regulator, VLOPs and VLOSEs must also provide vetted researchers with access to certain data in order to understand how online risks evolve.
  • Additional advertising transparency: VLOPs and VLOSEs must provide a repository, where recipients can access information on online advertising that was displayed within the last year. Such information includes the content of the online advertisement, its principal, period and target groups. These rules may pose a significant challenge to the protection of trade secrets.
  • Crisis Response Cooperation: VLOPs and VLOSEs must implement a crisis response mechanism and follow directions given by the European Commission concerning specific actions on content during social and political emergencies, such as pandemic or war.

Will the DSA replace the eCommerce Directive?

The DSA will not replace the eCommerce Directive, which remains the cornerstone legal framework for all digital services. However, in order to provide greater harmonisation, the DSA incorporates the existing rules exempting online intermediaries from liability for the content they host under certain conditions to ensure innovative services can continue to emerge and scale up in the single market. 

Who will enforce the DSA?

For intermediary service providers, the supervisory authority will be the Digital Services Coordinator in the Member State in which the provider has its main establishment (or in respect of providers that do not have an establishment in the EU, but offer services in the EU, the Member State where their legal representative resides or is established). In Ireland, the Media Commission will be empowered to regulate intermediary service providers. It will have the power to impose penalties, including financial fines.

Each Member State will specify the penalties in their national laws, ensuring they are proportionate to the nature and gravity of the infringement, yet dissuasive to ensure compliance. The DSA only specifies the maximum fine will be 6% of the annual worldwide turnover of the provider of intermediary services concerned in the preceding financial year. For the supply of incorrect, incomplete, or misleading information, failure to reply or rectify such information, and failure to submit to an inspection, the maximum fine will be 1% of the annual income or worldwide turnover of the provider of intermediary services or person concerned in the preceding financial year.

A late addition to the DSA was to provide the European Commission with direct and exclusive enforcement jurisdiction over the obligations specific to VLOPs and VLOSEs, along with any 'systemic' issues concerning VLOPs or VLOSEs. This means the European Commission alone has authority to enforce these specific obligations on VLOPs and VLOSEs. The Commission will similarly have the power to impose fines of up to 6% of the annual worldwide turnover of VLOPs or VLOSEs.

The enforcement mechanism is not only limited to fines, the Digital Services Coordinator and the European Commission will have the power to require immediate actions where necessary to address very serious harms, and platforms may offer commitments on how they will remedy them.

In addition, individuals will have the right to seek compensation from providers of intermediary services, in respect of any damage or loss suffered due to an infringement by those providers of their obligations under the DSA.

Battles of the future?

It is unclear at present how a number of areas of the DSA will be enforced, and it appears likely that there will be some disputes and challenges concerning certain obligations imposed under the DSA. These may include:

  • how to determine if a practice is a 'Dark Pattern' and how 'Dark Patterns' are to be distinguished from acceptable uses of an online platform's functionality to promote business interests;
  • how to ensure machine learning algorithms stay within the parameters set by the DSA, for example by not inadvertently inferring special category data (such as someone's political opinion or health status) when presenting someone with an advertisement;
  • how to ensure recommender system transparency does not allow bad actors to 'game' an online platform by using key words it knows are more likely to be promoted by the algorithm and thereby ensure their content rises to the top of users' feeds;
  • what information is sufficient to put an online platform on notice that a user is a child (and therefore prohibited from being profiled for targeted advertising); and
  • how the DSA will interact with other laws which apply to the same subject-matter, such as the GDPR and online safety legislation.

When will the DSA come into force?

The DSA is a Regulation, and will be directly applicable across the EU 15 months after its entry into force. Under the anticipated timetable, businesses can expect that the DSA be published in the official Journal shortly after it is signed by the Presidents of the European Parliament and Council on 19 October 2022, and enter into force around mid-November 2022 (20 days after publication), with the bulk of provisions then taking effect in mid-February 2024 (15 months later).  However, the DSA may kick in sooner for VLOPs and VLOSEs, as it will apply to them four months after their designation by the European Commission. Designation by the European Commission will take place on the basis of user numbers reported by these service providers, which service providers will have three months after entry into force of the DSA to provide.

Contact Us

If you would like to discuss this, or any other related data protection and data privacy matters concerning your business, please do not hesitate to contact any member of our Technology and Innovation Group.

HoldingImage_558x245_Blue HoldingImage_450x200_Red
Related Insights

The Latest Data Protection Developments

Read the Full Report