European Court of Human Rights
On March 4th, the Center for Democracy and Technology (CDT) published an article about the European Court of Human Rights reconsideration of countries’ bulk collection of data. The Court is currently considering two cases concerning the bulk interception of citizens’ private data – Big Brother Watch and Others v. United Kingdom and Centrum for Rattvisa (“Center for Justice”) v. Sweden. The Court initially determined in both cases that bulk surveillance was compliant with the European Charter of Human Rights, in principle, but that the cases lacked sufficient oversight and adequate safeguards for citizen’s privacy rights. According to the article, the minimum safeguards for data collection were not adopted in either case, including requiring reasonable suspicion. Both cases will be reviewed by the European Court of Human Rights Grand Chamber.
European Union Cyber Security Framework
On March 18th, the Council of the European Union adopted the Law Enforcement Emergency Response Protocol, a framework which will help EU member states coordinate responses to cyberattacks and share information about cybersecurity threats in a timely manner. According to the announcement, the Protocol is in response to the WannaCry and NotPetya cyberattacks in 2017, as well as concerns about cybersecurity threats to the upcoming EU Parliament elections. The Protocol determines procedures, roles, and responsibilities of key players in the EU for detecting and responding to a cyberattack.
General Data Protection Regulation
On March 21st, the advocate general, an advisor to the Court of Justice of the European Union, published a nonbinding opinion about valid opt-in methods to obtain consent under the General Data Protection Regulation (GDPR). German online lottery company, Planet49, asked users to check a box to allow advertisements. A second box was pre-checked for users to consent to cookies. The advocate general determined that unchecking a pre-selected box does not qualify as valid opt-in consent. According to the advocate general, de-selecting a box to refuse consent does not reach the GDPR threshold that consent is “freely given” and “informed.”
Irish Data Protection Commission
On February 28th, Ireland’s Data Protection Commission (DPC) released its annual report, which focuses on its activities over the past year. Key takeaways were:
- 10 of the 15 major investigations that have been launched since the EU’s General Data Protection Regulation (GDPR) took effect focus on Facebook;
- Since the GDPR took effect in May 2018, the DPC has received 3,542 valid data security breach reports. For all of 2018, the DPC received 4,740 data breach reports, which was a 70 percent increase compared to 2017; and
- The DPC has received 38 data breach notifications involving 11 multinational technology companies since the GDPR went into effect, including Facebook and Twitter.