Showing posts from August, 2023

Germany: Eight people indicted in connection with €80 million VAT fraud involving luxury cars (EPPO)

The European Public Prosecutor’s Office (EPPO) in Berlin (Germany) has filed an indictment against eight suspects in connection with a VAT fraud scheme involving the trade of luxury cars and medical face masks, with an estimated damage of €80 million. Four of the defendants are charged with orchestrating the VAT fraud as members of an organised criminal group; among them is the suspected ringleader. Another defendant is charged with aiding and abetting. Two others are accused of money laundering activities. A notary, believed to have assisted the organised criminal group during a period of a number of years, is charged with forgery and false notarisation. The investigation uncovered a complex network through which luxury cars and medical face masks were traded, using shell companies in several countries – including Czechia, Germany and Poland. The defendants are believed to have used people in economic difficulty from Poland and Latvia as straw men. It is also alleged that the main s

A national competition authority can find, in the context of the examination of an abuse of a dominant position, that the GDPR has been infringed (ECJ)

According to Judgment of the European Court of Justice in Case C-252/21 (Meta Platforms and Others), a national competition authority can find, in the context of the examination of an abuse of a dominant position, that the GDPR has been infringed. Bound by the duty of sincere cooperation, it must nonetheless take into consideration any decision or investigation by the competent supervisory authority pursuant to that regulation. Meta Platforms Ireland operates the online social network Facebook within the European Union. When they register with Facebook, its users accept the general terms drawn up by that company and, consequently, the data and cookies policies. According to those policies, Meta Platforms Ireland collects data about user activities on and off the social network and links them with the Facebook accounts of the users concerned. The latter data, also known as ‘off-Facebook data’, are data concerning visits to third-party webpages and apps as well as data concerning the

The ECJ's videoconference system complies with data protection rules (EDPS)

With its Schrems II-judgment of 16 July 2020, the Court of Justice declared invalid the EU-US Privacy Shield , governing the transfer of personal data from the European Union to the United States.  In the absence of this EU-US Privacy Shield, in February 2021 the Court of Justice of the European Union (CJEU), as an EU institution, referred its contract with its US-based videoconferencing operator to the European Data Protection Supervisor (EDPS).  It asked the EDPS whether these rules complied with the EU’s data protection rules contained in the EU Data Protection Regulation . The EDPS issued two temporary authorisations, in 2021 and 2022, allowing the CJEU to use these contractual clauses. It adopted its final decision on 13 July 2023.  The EDPS has decided that the CJEU’s videoconferencing services meet the data protection standards under EU Data Protection Regulation. The CJEU is the first EU institution to obtain such approval from the EDPS. The main characteristics of the videoco

TikTok processing of children’s data: Dispute's settlement by European Data Protection Board

The European Data Protection Board (EDPB) adopted a dispute resolution decision on the basis of Art. 65 GDPR concerning a draft decision of the Irish Data Protection Authority (DPA) regarding TikTok Technology Limited (TTL).  The binding decision addresses legal questions arising from objections to the draft decision of the Irish DPA as lead supervisory authority (LSA) regarding TikTok Technology Ltd. The EDPB binding decision ensures the correct and consistent application of the GDPR by the national DPAs. The Irish DPA issued the draft decision following an own-volition inquiry into the processing by TTL of personal data of registered TikTok users between the ages of 13 and 17, as well as certain issues regarding TTL’s processing of personal data of children under the age of 13. As no consensus was reached on the objections lodged by DPAs, the EDPB was called upon to settle the dispute between the DPAs within two months. The objections concerned, among other things, whether ther

GDPR breach: 300.000€ fine against bank after lack of transparency over automated rejection of credit card application

A Berlin based bank offered a credit card on their website. Using an online form, the bank requested various data about the applicant's income, occupation and personal details. Based on the information requested and additional data from external sources, the bank's algorithm rejected the customer's application without any particular justification. The algorithm is based on criteria and rules previously defined by the bank. Since the client had a good credit rating and a regular high income, he doubted the automated rejection and complained to the Berlin data protection commissioner.  Even when asked by the complainant, the bank only provided blanket information about the scoring procedure, detached from the individual case. However, it refused to tell him why it assumed a poor creditworthiness in his case. The complainant was thus unable to understand which data basis and factors formed the basis of the automated rejection and on the basis of which criteria his credit car