Data transfers to US valid in Max Schrems case – AG Saugmandsgaard
In a much anticipated response to a request for a preliminary ruling released on Thursday 19 December, AG Henrik Saugmandsgaard has decided that the transferring of personal data from tech companies domiciled in the EU to third party nations is provided adequate safeguards are in place.
The complainant in this case, Mr Schrems, is a Facebook user and privacy campaigner from Austria. The essence of his complaint is that there is no lawful basis for Facebook Ireland’s transferring of personal user data from the EU to the United States. In support of this, he argues that the Edward Snowden NSA revelations which surfaced in 2013 highlighted the lack of adequate data protection mechanisms in the US which would safeguard the rights of European Facebook users in a manner that is consistent with EU law data protection measures.
In a complaint put before the Data Protection Commission, Mr Schrems argued that that the clauses in a data transfer processing agreement between Facebook Ireland and Facebook Inc. were not sufficient for the purposes of transferring his personal data to the US and further, that they were inconsistent with the standard contractual clauses which had been laid out by the Commission in Decision 2010/87. In response to this, the DPC then brought proceedings before the High Court, requesting it to refer questions to the ECJ (Case C-311/18).
AG Saugmandsgaard proposed that the primary question before the ECJ was whether or not the standard contractual clauses relied on to facilitate the transfers are valid. In holding that they are, he went on to caution that companies and regulators need to ensure that ‘sufficiently sound mechanisms’ are in place to suspend transfers where there is a ‘conflict between the obligations arising under the standard clauses and those implied by law of the third country’.
Though this could potentially create a headache for companies whose business involves data transfers, the status quo remains largely unchanged. The full decision will not be released by the ECJ for another few months, but it is worth noting that the opinion of an Advocate General is followed in four out of every five cases.
Airbnb an ‘information society service’ as opposed to estate agent – CJEU
According to a ruling of the CJEU released on Thursday 19 December (Case C-390/18), the popular flat-sharing website known as ‘Airbnb’ is not an estate agent but is rather an information society service as per Directive 2000/31 on electronic commerce.
This dispute pertained to criminal proceedings which had been brought in France against Airbnb which alleged that it was functioning as a de facto estate agent without holding the correct licence – a blatant violation of France’s ‘Hoguet Law’. The complainant in this case is the Association pour un hébergement et un tourisme professionnels (AHTOP, or association for professional tourism and accommodation).
The key question for the courts to consider here was whether Airbnb are actually acting as estate agents or is their business model limited to merely providing a platform for professional estate agents to find perspective clients on. Airbnb also offers a range of other ancillary offerings, such as formatting tools as well as civil liability insurance. Airbnb were found to merely be an intermediary, particularly given that their website is not indispensable to the provision of rental accommodation, it simply facilitates it.
Moreover, as distinct from other companies like Uber, Airbnb do not exercise any decisive control over the lodgements offered, and indeed they have no say in setting the price. The essential business model of Airbnb lies in providing a tool to those engaged in providing accommodation services, they do not provide accommodation services in the direct sense themselves.
Read the judgment in full here.
EU Directive on transparent and predictable working conditions – six months on
In June of this year, EU Directive 2019/1152 on Transparent and Predictable Working Conditions was adopted with an implementation date of August 2022. Once transposed into Irish law, the new regime will overhaul the existing standard for contracts of employments provided under the Terms of Employment (Information) Act 1994. The provisions contained under the Directive will supplement the Employment (Miscellaneous Provisions) 2018 Act; specifically addressing shortcomings regarding zero hour contracts.
The Directive’s aim is to make working conditions within the EU more predictable, introducing minimum rights, as well as creating new rules on the kind of information that must be relayed to workers regarding their terms and conditions of employment. Therefore, it follows as a corollary that this will increase the responsibilities employers to be more transparent when issuing terms of employment to their employees.
The scope of the Directive also extends to forms of employment that are often excluded, namely, housework, occasional workers, short term employees, domestic workers, platform workers, voucher-based workers, trainees, and apprentices etc. The only example of exempted workers not protected by the Directive are those whose ‘working time’ is less than 3 hours weekly across a 4-week reference period. The changes which have been made under the Directive will now be address in turn, under the following headings: (i) Terms of employment; (ii) probationary periods; (iii) limitation of outside employment; (iv) minimum predictability of work; (v) work-related training.
Continue reading here.
Data protection enforcement: A clear road ahead?
It is now just over a year and a half since the GDPR entered into force. The flood of ‘we would like to keep in touch’ emails, asking us to re-subscribe to marketing mailing lists that might not have followed best data protection practice in the past, has come to an end. This does not mean that organisations have all sorted out their compliance issues. Some have made progress, but for many others, once the initial rush of publicity wore off, there has been little progress on auditing and validating their procedures to ensure that they were properly following the law.
This has led to some strange stories, such as the Dutch supermarket chain which encouraged its employees to provide photographs of themselves in underwear or tight-fitting clothes so that they could be provided with uniforms, but dropped the idea when the Dutch Data Protection Authority called the idea ‘bizarre’. Significant breaches continue to occur. Licence plate images from Tesco’s car parks across the UK were discovered online in a database with no access control. The European Parliament itself has been sanctioned by the European Data Protection Supervisor for processing voter data beyond legal limits. Other activities may be legal, but nonetheless raise questions that merit serious consideration, such as Mercedes-Benz placing trackers in vehicles that it sells, and in some cases, passing the location of cars onto bailiffs.
The development of a proper understanding of the scale and likelihood of fines for breaches of data protection breaches has also been slow. For those familiar with regulatory process generally, and with enforcement particularly, this is not surprising. Government agencies move at their own pace, restricted by lack of resources and a need to follow proper procedures. The fines and penalties regime in other areas of regulatory law, such as environmental law, competition law, and health and safety law, all took time to be properly established and understood. They are now taken seriously, decades later. Data protection has not got to the stage yet, but the indications are that it will, although there may be some bumps in the road.
Continue reading here.