The ECJ's videoconference system complies with data protection rules (EDPS)

With its Schrems II-judgment of 16 July 2020, the Court of Justice declared invalid the EU-US Privacy Shield, governing the transfer of personal data from the European Union to the United States. 

In the absence of this EU-US Privacy Shield, in February 2021 the Court of Justice of the European Union (CJEU), as an EU institution, referred its contract with its US-based videoconferencing operator to the European Data Protection Supervisor (EDPS). 

It asked the EDPS whether these rules complied with the EU’s data protection rules contained in the EU Data Protection Regulation. The EDPS issued two temporary authorisations, in 2021 and 2022, allowing the CJEU to use these contractual clauses. It adopted its final decision on 13 July 2023. 

The EDPS has decided that the CJEU’s videoconferencing services meet the data protection standards under EU Data Protection Regulation. The CJEU is the first EU institution to obtain such approval from the EDPS. The main characteristics of the videoconferencing services used by the CJEU are: 

  • no data is transmitted to the cloud for confidential meetings; 
  • very limited data transmitted to the cloud for other meetings with full and strong encryption (end-to-end encryption, one to many points) by default; 
  • combined with strong technical and organisational measures; and moreover 
  • the use of cloud servers located exclusively within the EU. 

The final decision of the EDPS adopted on 13 July 2023 may be consulted on the EDPS’ website. (source curia.europa.eu/photo freepik.com)

Comments

Post a Comment

Editorial

Editorial
George Kazoleas, Lawyer

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld her find
Read more

A national court is not required to apply a decision of its constitutional court that infringes EU law (ECJ)

Image
In its Judgment of 26.9.2024 in Case C-792/22 (Energotehnica) the Court of Justice ruled as regards the right to an effective remedy that a national court is not required to apply a decision of its constitutional court that infringes EU law. In such a case, the national court may not be penalised.  Following the death of an electrician by electrocution during a maintenance operation, an administrative procedure was initiated against his employer. At the same time, criminal proceedings for negligence and manslaughter were initiated against the supervisor. The victim’s next of kin also became civil parties to the criminal proceedings.  The administrative court hearing the dispute concluded that the present case did not involve an ‘accident at work’. It annulled the administrative penalties imposed on the employer. According to national legislation, as interpreted by the Romanian Constitutional Court, that administrative decision prevents the criminal court from reconsidering whether the
Read more

ECHR President: Covid-19 pandemic has raised a number of important human rights issues

Image
Increased polarisation and challenges to Europe’s fundamental principles, together with the global COVID-19 pandemic, are likely to create the most difficult period we have seen in many years, according to the President of the European Court of Human Rights (ECHR). Speaking at the court’s annual press conference in Strasbourg, ECHR President Robert Spano said that democracy, the independence of the judiciary and the rule of law are increasingly being called into question at both the European and global levels. He added that the on-going pandemic has already raised a number of important human rights issues, including the proportionality of measures taken by Council of Europe member states, the legal basis of those measures and the use of domestic procedures to sanction actions or inaction. President Spano underlined that the ECHR has been able to continue its work despite the pandemic, deciding on over 39,190 applications in 2020 and holding online public hearings for the first time.
Read more

The name Pablo Escobar may not be registered as an EU trade mark

Image
According to the Judgment of the General Court in Case T-255/23 (Escobar v EUIPO) the name Pablo Escobar may not be registered as an EU trade mark. The public would associate that name with drug trafficking and narco-terrorism.  On 30 September 2021, Escobar Inc., established in Puerto Rico (United States), filed an application with the European Union Intellectual Property Office (EUIPO) for registration of the word sign Pablo Escobar as an EU trade mark for a wide range of goods and services.  The Colombian national named Pablo Escobar, who was born on 1 December 1949 and died on 2 December 1993, is presumed to be a drug lord and a narco-terrorist who founded and was the sole leader of the Medellín cartel (Colombia).  EUIPO rejected the application for registration on the ground that the mark was contrary to public policy and to accepted principles of morality. It relied on the perception of the Spanish public, as it is the most familiar with Pablo Escobar due to the links between Spa
Read more

Imposition of fines and order to comply following a leak of expats’ personal data file by Greek Data Protection Authority

Image
The Greek Supervisory Authority for Data Protection imposed on the Greek Ministry of the Interior,  an administrative fine totalling EUR 400,000 and on a Member of European Parliament an administrative fine totalling EUR 40,000 for infringements of GDPR. The Hellenic Data Protection Authority received a large number of complaints regarding unsolicited political communication via e-mail sent on 1/3/2024 and entitled "100 days before the European elections", by Member of European Parliament Anna-Michelle Asimakopoulou. Following this, the Authority investigated the case ex officio, exercising immediately its powers of investigation and auditing the bodies involved. Following a series of on-the-spot audits and the receipt of evidence and data in the context of the audit, it was found that a file containing personal data of all registered Greek expatriate voters for the June 2023 elections, for which the Hellenic Ministry of the Interior is the controller, and for which the leg
Read more

Gigantic fine for unfair practices imposed on Booking.com by the Competition Authority of Hungary

Image
One of the highest fines for violation of unfair competition law has been imposed (28/4/2020) on online hotel booking platform ‘’Booking.com’’ by the Hungarian Competition Authority. The amount of the fine (approximately EUR 6 million / HUF 2.5 billion) imposed by the Authority illustrates the seriousness of the Dutch company's violations. The Hungarian Competition Authority (GVH) imposed a fine of HUF 2.5 billion on the operator of the online booking portal booking.com, and at the same time banned the Dutch company from continuing its aggressive sales methods. According to the decision of the competition authority, Booking.com B.V. engaged in unfair commercial practices against consumers by, among other things, misleadingly advertising some of its accommodations with a free cancellation option and exerting undue psychological pressure on consumers to make early bookings. As a result of the Competition Authority’s competition supervision proceeding  initiated in 2018, the autho
Read more

Personal data protection: The supervisory authority is not obliged to exercise a corrective power in all cases of breach and, in particular, to impose a fine

Image
In its Judgment in Case C-768/21 (Land Hessen/ 26.9.2024) the Court of Justice ruled that, the data protection supervisory authority is not obliged to exercise a corrective power in all cases of breach and, in particular, to impose a fine. It may refrain from doing so where the controller has already taken the necessary measures on its own initiative.  In Germany, a savings bank found that one of its employees had consulted a customer's personal data on several occasions without being authorised to do so. The savings bank did not inform the customer of this, as its data protection officer had taken the view that there was no high risk for him. The employee had confirmed in writing that she had neither copied nor retained the data, that she had not transferred them to third parties and that she would not do so in the future.  In addition, the savings bank had taken disciplinary measures against her. The savings bank nevertheless notified the Land Hessen’s Commissioner for Data Prote
Read more