During its March plenary, the EDPB adopted the following documents:
The EDPB and EDPS have adopted a joint opinion on the European Commission’s proposals to extend the current Regulations on the EU Digital COVID Certificate (EUDCC) by 12 months and to amend certain provisions, such as a broadening of the types of COVID tests accepted in the context of travels within the EU and clarifying that vaccination certificates should contain the number of doses administered to the holder, regardless of the Member State in which they have been administered.
The EDPB and the EDPS take note that the proposal does not alter substantially the existing provisions of the Regulations with regard to the processing of personal data. In line with the previous joint opinion on the initial COVID Certificate Regulations, the EDPB and the EDPS recall that compliance with data protection rules does not constitute an obstacle for fighting the COVID-19 pandemic. Given the unpredictability of the possible prolongation of the pandemic, the EDPB and the EDPS understand the need to extend the applicability of the EUDCC Regulation.
However, since this proposal aims to extend the duration of a measure to fight the COVID-19 pandemic, the relevant scientific evidence and additional measures in place, should be regularly assessed to ensure the respect of general principles of effectiveness, necessity and proportionality.
The EDPB and EDPS regret that no impact assessment was carried out by the Commission. In addition, the EUDCC Regulation provides for a duty for the EU Commission to submit a report to the European Parliament and the Council on the impact of the Regulation on the facilitation of free movement, fundamental rights and non-discrimination. The EDPB & EDPS strongly consider that the Commission should annex this report to the current proposal.
EDPB Chair, Andrea Jelinek said: “These proposals are of particular importance due to their major impact on the protection of individuals’ rights and freedoms. Any restriction to the free movement of persons within the EU to limit the spread of COVID-19, including the requirement to present EU Digital COVID Certificates, should be lifted as soon as the epidemiological situation allows.”
EDPS Supervisor, Wojciech Wiewiórowski said: “We need to continuously evaluate which measures remain effective, necessary and proportionate in the fight against the COVID-19 pandemic. Data protection principles should be continuously applied and integrated, having due regard to the evolution of the epidemiological situation and the impact on fundamental rights.”
The modification of certain fields of data, such as the clarification that vaccination certificates are to contain the number of doses administered to the holder or the proposal to make participants in clinical trials for the development of COVID-19 vaccines eligible for a COVID-19 vaccination certificate, seems to be limited to what is strictly necessary and does not raise particular concerns from a data protection perspective. However, the EDPB and EDPS recall their previous position that any modification of data fields might require a re-evaluation of the risks to fundamental rights and that only more detailed data fields falling under the already defined categories of data should be added through the adoption of delegated acts. The EDPB and EDPS will continue to pay special attention to the evolution of the COVID-19 pandemic and, in particular, to the use of personal data following the end of the pandemic.
Brussels, 15 March - The EDPB adopted Guidelines on Art. 60 GDPR. The drafting of such guidance is part of the EDPB Strategy and Work Programme 2021-2022 to support effective enforcement and efficient cooperation between national supervisory authorities (SAs). The guidelines provide a detailed description of the GDPR cooperation between SAs and aim to further increase the consistent application of the legal provisions relating to the one-stop-shop mechanism. The guidelines help SAs to interpret and apply their own national procedures in such a way that it conforms to and fits in the cooperation under the one-stop-shop mechanism.
The EDPB adopted Guidelines on dark patterns in social media platform interfaces. The guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid so-called “dark patterns” in social media interfaces that infringe on GDPR requirements. Dark patterns are interfaces and user experiences implemented on social media platforms that cause users to make unintended, unwilling and potentially harmful decisions regarding the processing of their personal data. This influences users’ behaviour and ability to effectively protect their personal data. The guidelines give concrete examples of dark pattern types, present best practices for different use cases and contain specific recommendations for designers of user interfaces that facilitate the effective implementation of the GDPR.
The EDPB adopted a toolbox on essential data protection safeguards for enforcement cooperation between EEA and third country SAs. This contributes to one of the key actions of the EDPB Strategy and Work Programme 2021-2022 and aims to facilitate the engagement between EDPB members and the SAs of third countries. The toolbox can be used both for administrative arrangements developed within the EDPB by the SAs themselves and for international agreements negotiated by the European Commission. The toolbox covers key topics, such as enforceable rights of data subjects, compliance with data protection principles and judicial redress.
Finally, the EDPB adopted a joint EDPB-EDPS opinion on the proposals to extend the Digital COVID Certificate. A separate press release will be published on this topic later today.
Note to editors:
All documents adopted during the EDPB Plenary are subject to the necessary legal, linguistic and formatting checks and will be made available on the EDPB website once these have been completed.
EDPB_Press Release_2022_04
Date of final decision: 10 February 2022
Cross-border case or national case: national case, Article 3(2) applies
Controller: Clearview AI Inc.
Legal Reference: Principles relating to processing of personal data (Article 5(1)(a)(b)(e)); Lawfulness of processing (Article 6); Processing of special categories of personal data (Article 9); Transparent information, communication and modalities for the exercise of the rights of the data subject (Article 12); Information to be provided where personal data are collected from the data subject (Article 13); Information to be provided where personal data have not been obtained from the data subject (Article 14); Right of access by the data subject (Article 15); Representatives of controllers not established in the Union (Article 27).
Decision: The Italian SA imposed a fine amounting to EUR 20 million, imposed a ban on further collection and processing, ordered the erasure of the data, including biometric data, processed by the Company’s facial recognition system with regard to persons in the Italian territory and the designation of a representative in the territory of the European Union.
Key words: Web Scraping, Images Database, Facial Recognition, Biometric Data, AI systems, Geolocation, Jurisdiction under EU law, Representative in the EU.
The Italian SA launched an own volition proceeding following press reports on several issues in connection with facial recognition products which were offered by the Clearview AI Inc. Moreover, the Garante received, during 2021, four complaints and two alerts by two organisations that are active in the field of protecting privacy and the fundamental rights of individuals against Clearview.
Key FindingsThe inquiries and assessment by the Italian SA found several infringements by Clearview AI Inc. The personal data held by the company, including biometric and geolocation information, were processed unlawfully without an appropriate legal basis – since the legitimate interest of the US-based company does not qualify as such. Additionally, the company infringed several fundamental principles of the GDPR, such as transparency, purpose limitation, and storage limitation; it failed to provide the information set out by Article 13-14, to provide information on an action taken on a request under Article 15 within the due timeframe, and to designate a representative in the EU.
DecisionThe Italian SA imposed a fine amounting to EUR 20 million.
Additionally, the Italian SA:
For further information:
Ordinanza ingiunzione nei confronti di Clearview AI - 10 febbraio 2022 (IT)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.
During its February 22nd plenary, the EDPB adopted the following documents: