The JENTIS Legal Digest
Welcome to the JENTIS Legal Digest, your bi-weekly news update on all things data privacy around the world.
Written by Tomislav Rachev LL.M.
In this edition:
Crunching the latest DPA decisions on cookie banners
Scepticism in Germany over the resilience of the EU-US Data Privacy Framework
EADPP's newest catalog is out, featuring the latest data protection technology solutions
Data privacy around the globe: news from US, UK, Russia
Compliant cookie banner design? New DPA decisions indicate requirements
Dark patterns and missing "Decline" option on first layer do not fly with the Austrian DPA
A complainant visited a website via a banner offering only “accept” or “learn more” options on its first layer. After choosing "accept", multiple identifiers were saved on the website server and were then transmitted to the servers of third party providers such as Google.
The DPA found a GDPR violation due to the lack of a “decline” option on the first layer, leading to invalid consent and unlawful data processing. The DPA acknowledged the complainant's rightful request for data deletion from the website and third-party servers and stressed the requirement of the website operator to notify the third-party providers about the deletion.
After the website operator updated the cookie banner, the DPA found the "decline" option to be visually different from the "accept" option (a so-called "dark pattern") and ordered the controller to further adjust the cookie banner within 8 weeks from the decision date.
Berlin DPA: Different design of buttons unproblematic, as long as "Decline" option is clearly available to the user
Following another recent complaint from noyb, the Berlin DPA had to decide on an allegedly misleading cookie banner design similar to the one in Austria. In this case, the cookie banner design also did not include an option to decline cookies on the first layer of the banner, but only a link to a second layer.
The Berlin DPA concluded that the user's consent was not informed because both the cookie banner and the controller's privacy policy did not provide sufficient information about the processing activities that followed the collection of the cookies. However, the DPA took a more nuanced approach to the design of the cookie banner. The authority clarified that a "decline" button on the first layer of the banner is only required if the cookie banner prevents the user from interacting with the website.
In addition, the DPA concluded that different designs of the two options may be permissible as long as the "decline" button is clearly visible and to be found where the average user expects it.
Key insights:
DPAs appear to be rigorously applying the new EDPB Cookie Banner Taskforce guidelines and the types of violations identified therein, but legal uncertainty due to diverging interpretations of what constitutes compliant design remain
In both cases, timely adjustments to the cookie banner design helped avoid penalties
The DPA's enforcement against cookie banners appears to be intensifying, leading to more transparent and user-friendly designs across the industry, but also potentially decreasing consent rates
Scepticism in Germany over the resilience of the EU-US Data Privacy Framework
Cross-party criticism in the German Parliament against the new framework
Recently, French lawmaker Philippe Latombe filed the first challenge against the new transatlantic data flows agreement. This came as no surprise for members of the Bundestag. Various representatives of German parliamentary groups called for a more solid basis for data transfers and expressed their concerns that the new agreement is vulnerable to judicial review as serious concerns regarding the adequacy of data protection in the US remain.
Thuringian Data Protection Authority: Probability the adequacy decision gets overturned "quite high"
In a recent press release, the Thuringian State Commissioner for data protection (TLFDI) Dr. Lutz Hasse urges companies relying on the EU-US DPF to be aware of its pitfalls and reconsider transferring any sensitive data - including customer data - to the US until a ruling by the European Court of Justice (CJEU) on the validity of the new adequacy decision.
In view of the weaknesses of the Framework identified by both the European Data Protection Board (EDPB) and Max Schrems, the Commissioner concludes that the likelihood of the European Court of Justice overturning the adequacy decision is "quite high".
Looming reauthorisation of bulk surveillance program in the US
Meanwhile, a recent report by the Privacy and Civil Liberties Oversight Board (PCLOB) recommends the reauthorisation of Section 702 of FISA, the legal basis for US bulk surveillance practices, as vital to national security, while recommending certain safeguards, focusing primarily on risks to the rights of US persons. There is clear political consensus in the Congress that Section 702 must be reauthorised, while there is still disagreement on the inclusion of additional safeguards for the rights and freedoms of natural persons.
Key insights:
The reathorisation of 702 FISA is expected by December 2023 and increases the probability that the EU-US DPF is struck down by the European Court of Justice over concerns that US intelligence agencies could easily access data on European citizens.
EU companies can mitigate the legal uncertainty surrounding international data flows by implementing additional measures, which allow them to maintain data control and flexibility over their data transfers.
EADPP's newest catalog is out, featuring the latest data protection technology solutions
As a non-commercial project by the European Association of Data Protection Professionals (EADPP), the Catalog aims to provide essential information and resources to promote General Data Protection Regulation (GDPR) compliance and facilitate privacy-preserved data sharing.
Key insights:
The catalog showcases a variety of technology solutions that respond to the dynamic needs of organisations to protect personal data and ensure GDPR compliance.
JENTIS is honoured to be featured among these solutions due to the data protection features of its Data Capture Platform, such as Pseudonymisation and Consent Management Integration
JENTIS is currently running pilot projects with customers on its latest innovation Synthetic User Generation and ID Pooling to offer a revolutionary method of capturing up to 100% of user data without compromising individual identities