TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Europe Data Protection Digest | Notes from the IAPP Europe Managing Director, 25 Jan. 2019 Related reading: Podcast: Given legal uncertainty, what to do about cross-border data transfers?

rss_feed
GDPR-Ready_300x250-Ad

Greetings from Brussels!

A fairly newsworthy week here in Europe in what concerns data protection. At the international level, the European Commission adopted an adequacy decision on Japan, creating the world’s largest area of safe data flows. As you may already know, the initial procedure was launched in September of 2018. Importantly, this adoption reflects positive opinions of both the European Data Protection Board as well as the agreement of a committee composed of representatives of the EU member states. The adequacy decision was simultaneously adopted by Japan and becomes applicable with immediate effect as signed 23 Jan.

This is a major milestone for free data flow and international transfers. Japan is the world’s third-largest economy, and in many respects, it will now be treated and trusted as if it were an EU member state in what concerns the sharing and protection of personal data of European consumers. This will go a long way to facilitate bidirectional trade as a critical and substantial component of the modern digital economy. In real terms, we are talking about a “common area” of more than 600 million people; this is a sizable market by any standard. It should be noted that EU companies will also benefit from privileged access to a market comprising 127 million consumers. EU Commissioner Věra Jourová said the arrangement "will serve as an example for future partnerships" on data flows and facilitate global standards.

Among other aspects, the EU and Japan cleared the final hurdle by agreeing on a series of “supplementary rules.” These essentially cover the protection of sensitive data, the exercise of individual rights, and the conditions under which EU data can be further transferred from Japan to another third country. The adequacy decision complements the EU-Japan Economic Partnership Agreement, which takes effect next month, to become the world's biggest trade deal. Make no mistake, data protection has become an instrument and integral component of the EU’s trade negotiation toolbox; the GDPR has truly made this necessary for all future trade negotiations.

In other equally meaningful news, Google has become the first U.S. tech giant to be fined under the GDPR in the context of mobile services related to the Android operating system. You’d have to have been on interstellar travel not to have seen some new coverage on this. But just in case... In short, French data protection authority, the CNIL, has levied a 50 million euro fine against Google for two alleged violations of the GDPR. In the first, a violation of the obligations of transparency and information, the regulator essentially maintains that the user is unable to understand the full extent of the processing operations carried out by Google. The second is the alleged violation of the obligation to have a legal basis for ad personalization processing: Basically, it is held that Google has not obtained the necessary user “consents” (plural) in a valid and unambiguous fashion as provisioned under GDPR. See articles here for more detail.

Google has said it will appeal the decision.

Interestingly, where Google have their European headquarters in Dublin Ireland, and following consultation with fellow European regulators and in particular the Irish, the French initiated proceedings against Google LLC in the US., on the grounds that in this particular instance, the Irish Google legal establishment did not have decision-making power on the processing operations in question. Here is where it is interesting, the CNIL levied the fine against Google LLC "one day" before Google Ireland became the data controller for users based in the EU, the EAA and Switzerland. As of this week, the Irish data protection authority became the lead authority for any investigations into Google in Europe.

Ultimately, the CNIL's enforcement action could set a big precedent for the ad-supported online economy. Think of the impact such a ruling may have on publishers, original content creators and aligned tech companies across the EU as well as internationally: A concern voiced by Google.

Comments

If you want to comment on this post, you need to login.