We’ve pulled together the five biggest stories from the past month to help you keep abreast of the latest data privacy news.
Google has won against the French data protection supervisory authority, CNIL, in the European Court of Justice (ECJ). In 2015, CNIL ordered Google to remove links to damaging or false information about someone across their global search engines, as opposed to solely in the EU as Google had done. The court stated, “the balance between right to privacy and protection of personal data, on the one hand, and the freedom of information of internet users, on the other, is likely to vary significantly around the world.”
The ECJ’s ruling means that people will still be able to access search results on search engines outside the EU that they can’t from inside the EU. However, even from within the EU, virtual private networks (VPNs) can work to circumvent the geo-blocking techniques Google is using to prevent people in the EU from seeing the delisted information.
Access Now, an international non-government organisation, has described the EU-U.S. Privacy Shield agreement, which allows data transfers between the EU and the US, as “toothless”. Access Now says, “By maintaining the Privacy Shield, the EU Commission weakens Europe’s data protection framework and risks undermining its global leadership role in advancing human rights.”
The validity of the adequacy decision granted by the EU Commission under the Privacy Shield is currently at issue before the ECJ. One of the main questions is whether US practices on processing personal data by public authorities and agencies can coexist with requirements under European data protection law. We will bring you news of the judgement in a future blog.
The limits that the California Consumer Privacy Act (CCPA) will place on selling data from 1 January 2020 are causing confusion and problems for publishers. A survey found that 87% of consumers “are likely to select ‘Do Not Sell My Personal Information’ with only 8% continuing to the website”, highlighting the fact it will be much harder for businesses to gain any value from the data they collect. In fact, the CCPA’s definition of a sale is broad, and includes sharing or disclosing of data for “monetary or other valuable consideration.”
Many other states are currently considering data protection legislation. Given the federal government’s inaction, it is likely that states will continue to enact their own privacy laws. For example, in June 2019, the state of Maine passed the Act to Protect the Privacy of Online Customer Information, which will be effective from July 2020. It requires Internet service providers (ISPs) to receive permission from users in order to share information with a third party. In contrast to the CCPA, an individual’s data should not be sold by default.
Nearly 15 months after Greece was referred to the European Court of Justice for failing to transpose the Law Enforcement Directive, the Greek government has enacted a bill that supplements the GDPR with additional measures, establishes Greek derogations from the GDPR and provides provisions for law enforcement as required.