01 Oct Privacy Update
Groundbreaking Court of Appeal judgment: Privacy Shield invalid
The European Court of Appeal passed a groundbreaking judgment this summer on the exchange of personal data between the EU and the USA.
The General Data Protection Regulation (GDPR) provides that personal data may not simply be transferred to persons or organisations located outside the European Economic Area (known as “third countries”). That is permitted only if those third countries offer the level of protection guaranteed under the GDPR. The GDPR provides that data may be transferred to third countries on the basis of:
- adequacy decisions;
- appropriate safeguards; and
- standard contracts.
The Safe Harbor Framework, which sets out agreements between the EU and the USA on the exchange of personal data, was addressed in one of our earlier newsletters. Organisations that joined that Framework were considered safe processors of European personal data. Austrian privacy activist Schrems successfully argued at the time that the USA did not offer an adequate level of protection that allows the transfer of personal data from the EU to the USA. On 6 October 2015, the European Court of Justice consequently invalidated the Safe Harbor Framework under which personal data was exchanged between the EU and the USA at the time.
The Safe Harbor Framework was replaced by the EU-US Privacy Shield, which was intended to better protect the personal data of European citizens in the USA. The Privacy Shield would allow the US government to access only strictly necessary data. The European Court of Justice recently ruled in the Schrems II judgment that also the Privacy Shield insufficiently guaranteed the protection of personal data exchanged with the US, because the US government was able to access more data than agreed within Europe. US legislature allows intelligence and security services to use data of EU citizens, which goes beyond the agreement to access only “strictly necessary” data.
So what does this judgment mean? Now that the Privacy Shield has been invalidated, personal data of European citizens may no longer be exchanged with the USA under that framework. But the European Court of Justice does still allow the use of standard contracts. They may serve as a valid ground for the transfer of personal data of European citizens to third countries, including the USA. But also in that case an equivalent level of protection must be guaranteed in practice. The European Data Protection Board (EDPB) is currently investigating the practical consequences of the judgment and the follow-up steps, if any, to be taken. The EDPB will most likely publish guidelines in the near future for additional measures that organisations may include in standard contracts.
High fines for use of fingerprints
The Dutch Data Protection Authority has imposed a fine of €725,000 on a company that processed fingerprints of its employees. The fingerprints were used for time and attendance tracking. After investigating the case, the Data Protection Authority found that no exception applied on which the company could rely.
Like other biometric data, fingerprints are classified as “special personal data”. Such data may be used only if a statutory exception applies. The possible exceptions referred to in the law for the use of personal data include express permission given by the data subjects and the need to use biometric data for authentication or security purposes. But the company in question could not rely on either of those exceptions.
The question whether fingerprints may be used for access control, for instance, depends on the required level of security of the building/room or the information systems. Fingerprints may be used, for instance, to give access to nuclear power plants, but not, for instance, in the case of POS systems, because good alternatives are available.
Express consent could also not be relied on as a valid ground for an exception in the case in question, because it involved a dependent relationship between an employer and its employees, which means that those employees were not free to withhold their permission.
This fine demonstrates that the use of employees’ fingerprints is unlikely to be allowed. Such use is permissible only if the security of very important buildings of computer systems so requires and no equivalent alternatives are available.
For further information or advice on this subject, please contact Lise van den Heuvel (+31-6-23492248).
This article was published in the Newsletter Vestius of October 2020