Last week in privacy (week 39)

German EU Council presidency releases new proposal for ePrivacy Regulation


The new ePrivacy Regulation has been subject to negotiations that seem endless.  After the failures of the negotiations over the latest drafts proposed by Finnish and Croatian Presidencies, The German Presidency aims to achieve a general approach by the end of 2020.


On July 2020, the German presidency asked other Member States to submit their written comments on the main issues of Article 6 - protection of electronic communications and Article 8 - protection of end-user terminal equipment. Now, a new draft version has been released by the Presidency.


See the DRAFT 9931/20 on ePrivacy here.


New evidence submitted to DPC’s Google RTB investigation


The Irish Council for Civil Liberties (“ICCL”) has submitted more evidence to the Irish Data Protection Commission (“DPC”) detailing how Google shares personal data of very sensitive nature with 968 companies.


The new evidence follows a two year old complaint lodged with the Irish DPC claiming unlawful exploitation of personal data via the Real Time Bidding (“RTB”) process and accusing it as the biggest data breach of all time.


Real-Time Bidding operates behind the scenes on many websites and apps. It broadcasts the private things people do and watch online, and where they are in the real-world, to countless companies. Google’s RTB system sends this data to 968 companies.


The new submitted evidence demonstrates how people with AIDS, brain tumour, diabetes or people subject to abuse or incest are profiled and targeted with ads, and how Polish elections were influenced.


See the new evidence here.


Swiss Parliament adopts the new Federal Data Protection Act


On 25th of September 2020, the Swiss Federal Assembly announced the adoption of the new revised version of the 28 year old Data Protection Act. The new Federal Act on Data Protection Act (“FADP”) is adapted to the EU data protection law and today’s digital world, but is still subject to a referendum.


The Federal Data Protection and Information Commissioner of Switzerland (“FDPIC”) will provide more detailed statement on the revised law once the ongoing referendum period has expired.


See the announcement of the Swiss Federal Assembly here and a press release by the FDPIC here.


Finnish DPA entrenches its position on the ongoing cookie consent litigation


Helsinki Administrative court requested an opinion from the Finnish DPA concerning the Finnish Telecoms regulator’s (“Traficom”) earlier decision according to which browser settings still constitute a valid consent for cookies and other tracking mechanisms. Despite the CJEU ruling in the case C-673/17 (“Planet 49”) last year, Traficom made two controversial decisions that contradict with Planet 49 ruling, arguing that Finnish national law supersedes the GDPR.


As expected, the Finnish DPA sees Traficom’s arguments ‘erroneus’ in many ways. See the Finnish DPA’s submission from our earlier blog post.