Tag Archives: Consent

Commission Nationale de l’Informatique et des Libertés (CNIL)

Rules for the use of personal data in electoral campaigns

On July 2016, the France’s National Data Protection Commission (CNIL) issued a formal notice to Microsoft Cooperation urging Microsoft to make Windows 10 to comply with French data protection law. The CNIL criticized the company for tree actions:

a) tracking its users web browsing habits without their consent,

b) failing to offer proper security protections, and

c) delivering targeted advertising materials without the user’s consent.

This notification does not seek to prohibit Microsoft from using its services to advertise but seeks to enable users to make their choice freely, having been properly informed of their rights.

Consequently, the CNIL gave the company three months to comply with its orders to stop collecting personal data without the consent of those users concerned. Otherwise, the company may impose any applicable sanctions of up to 150,000 euros.

Article 29 Working Party (WP29)

WP29 issues Opinion on the evaluation and review of the ePrivacy Directive

On July 19th, 2016, the WP29 presented an Opinion on the evaluation and review of the e-Privacy Directive (2002/58/EC). For the WP29, a thorough revision of the rules in the e-Privacy Directive is necessary in order to take into account the technological developments in the digital market and the recent adoption of the General Data Protection Regulation (GDPR).

Background information

The revision of the e-Privacy Directive is part of the Digital Single Market Strategy, announced by the European Commission (EC) on May 2015. The EC started the review of the Directive in 2015 by requesting a study about the transposition and effectiveness of the privacy related articles of the e-Privacy Directive as well as about the relationship between the Directive and the GDPR. A report[1] was published in June 2015. The EC launched in April 2016 a public consultation, open to citizens, legal entities and public authorities. The Commission consulted stakeholders on both the retrospective evaluation and the possible changes to the current e-Privacy Directive. The Opinion of the WP29 responds to this call. The EC intends to use the feedback provided from the consultation to prepare a new legislative proposal, which is expected by the end of 2016.

European Data Protection Supervisor (EDPS)

EDPS issues a preliminary Opinion on the Review of the ePrivacy Directive

On July 22nd, 2016, the EDPS presented a Preliminary Opinion on the Review of the e-Privacy Directive (2002/58/EC). For the EDPS, a new proposal on e-Privacy should “guarantee confidentiality of communications, offer clarity and complement the General Data Protection Regulation (GDPR)”. In short, the rules should be “smarter, clearer, stronger”.

Background information

The revision of the e-Privacy Directive is part of the Digital Single Market Strategy, announced by the European Commission (EC) on May 2015. The EC started the review of the Directive in 2015 by requesting a study about the transposition and effectiveness of the privacy related articles of the e-Privacy Directive as well as about the relationship between the Directive and the GDPR. A report[1] was published in June 2015. The EC launched in April 2016 a public consultation, open to citizens, legal entities and public authorities. The Commission consulted stakeholders on both the retrospective evaluation and the possible changes to the current e-Privacy Directive. The Opinion of the EDPS responds to this call. The EC intends to use the feedback provided from the consultation to prepare a new legislative proposal which is expected by the end of 2016.

Agencia Española de Protección de Datos (AEPD)

Companies will be able to monitor their employees with video-surveillance cameras without their consent

Background of the case

The company had detected that one of the employees might have been misappropriating funds in one of its stores. Based on this suspicion, the company decided unilaterally to install video-surveillance cameras alerting to the cameras’ installation in a visible place on the shop’s window, but without informing its employees formally.

On 3 March 2016, the Spanish Constitutional Court issued the Judgment 7222-2013. In that resolution, it has stated that when a company suspects that some irregularities are being committed, the monitoring of its employees with video-surveillance cameras without their specific consent is justified. Then, it is not necessary to inform the employees of the specific purpose why such cameras are being installed.

More specifically, the Judgement stated the following:

a) Legitimate purpose. The camera was installed due to the suspicious activity that one of the employees in the store was stealing from the cash register.

b) The employee was generically informed about the video-surveillance cameras installation as it had. Under those circumstances, the Constitutional Court stated that it was not required to explicitly inform the employees the reason why the mechanism had been carried out.

c) Proportionality. The installation allowed the company to verify the irregularities committed by the employees (suitable), the video-surveillance camera was the last way to be implemented by the company in order to know who exactly was stealing money (necessary), the recording were limited exclusively to the cash register area (proportional).

Information Commissioner’s Office (ICO)

Pharmacy2U Ltd Monetary Penalty Decision Notice

“An online pharmacy that sold details of more than 20,000 customers to marketing companies has been fined £130,000. Pharmacy 2U offered the customer names and addresses for sale through an online marketing list company.

The ICO investigation found that Pharmacy 2U had not informed its customers that it intended to sell their details, and that the customers had not given their consent for their personal data to be sold on. This was in breach of the Data Protection Act.” ICO found that “Pharmacy2U has obtained personal data unfairly because its online registration form and privacy policy did not inform its customers that it intended to sell their details to third party organisations, in addition to sending out its own marketing material. It would not be within a customer’s reasonable expectation that this form of disclosure would occur, even if they were willing to agree to the receipt of marketing material from Pharmacy2U itself. If a customer wished to take up Pharmacy2U’s offer to opt out of “Selected company data sharing”, they also had to go to the trouble of logging into their account and changing the setting.”

ICO also found that the contravention of the Data Protection Act 1998 was serious, and of a nature likely to cause substantial damage or substantial distress. This was based upon the type of data sold (including data on existing and potentially embarrassing health conditions) and that individuals using the Pharmacy2U website would have had an expectation of confidentiality. However, ICO did not consider that Pharmacy2U had deliberately contravened the DPA, but that it had been negligent.