Record Fine: Belgium’s Court orders Facebook to stop Data Protection law violation under forfeiture of a penalty of € 250,000 per day; Big Data: Opinion of The European Data Protection Supervisor; Safe Harbor Topic 1: Hamburg DPA actively preparing enforcement actions; Data Protection vs. Terrorism: Belgium to push for Passenger Records Law following Paris attacks; Safe Harbor Topic 2: EU Chief Jourova confident about ongoing Safe Harbor negotiations; Safe Harbor Topic 3: Norwegian DPA requires authorization of US data transfers.

Penalties and Fines: Belgium’s Court orders Facebook to stop violations of Belgium Data Protection Act under forfeiture of a penalty of €250,000 per day

A Belgian Court has fined Facebook €250.000 per day for violations of the Belgian Data Protection Act.

Facebook had collected web data of millions of Belgians who are not members of Facebook’s social network page, but were simply visiting websites. The Court in its judgment of 9 November 2015 found that this way of collecting data is a “manifest” violation of Belgian data protection law. According to the court, this applies irrespective of the purposes Facebook uses this data after having collecting it. Facebook argued that European users of its social network are subject to the Irish Data Protection Law (instead of Belgian law). The court disagreed citing the well-known Google Spain case that ruled that a Member State law applies if the activities of a local establishment are inextricably linked to the activities of the data controller.

The Court ordered to stop the violations under forfeiture of a penalty of €250.000 per day. The court based this on the consideration that the penalty’s amount needs to be sufficiently deterrent. The Court pointed out that Facebook in 2014 realized a turnover of  US-$ 12.4 billion and a profit of US-$ 2.9 billion, so that the amount of € 250,000 per day was considered adequate.  Facebook has announced that it will file an appeal against the judgment, which however does suspend the initial judgment.

Big Data: Opinion of The European Data Protection Supervisor (EDPS)

The European Data Protection Supervisor (EDPS) on Nov. 19 issued an Opinion regarding the challenges of Big Data.  It calls for transparency, user control and data protection by design and accountability, principles which are enshrined in the draft General Data Protection Regulation.

The EDPS discusses the opportunities, risks and challenges of Big Data and Big Data Analytics, provides recommendations, and discusses next steps to put the principles into practice, with reference to the General Data Protection Regulation.

Adequacy: Hamburg DPA is Engaged in a Process to Identify and Prosecute Data Transfers to the US

The German state DPA of Hamburg is actively examining which companies are or plan to send data to the US over the next two months. In the aftermath of the October 6 European Court of Justice (“ECJ”) decision invalidating the original safe harbor agreement that had been in effect for fifteen years, the DPA therefore keeps taking an aggressive approach among all DPAs of the European Member States.

The DPA has announced that companies, who are not making efforts to comply with the ECJ decision, will be subject to enforcement in form of fines, starting at the end of January 2016.

The German state authority has also commented on the “consent solution” currently used by Google. In that regard, the DPA of Hamburg has apparently sent “orders” to Google to i.a. provide documentation in order to allow it to investigate whether the “consent solution” of Google results in a valid consent that would allow the transfer of personal data to the US.

Belgium to Push Ahead With Passenger Records Law as a result to the Paris attacks

Belgium is pushing ahead the finalization of a Passenger Records Law as a result of the recent terrorist attacks in Paris. This law is aimed to apply to international trains as well as aviation, Belgian Prime Minister Charles Michel said on Nov. 19.

The release of this law is just one of many steps the Belgian government is taking in order to try and increase the security level.

EU Justice Chief Vera Jourova Updates on New Safe Harbor Pact Negotiations

Safe Harbor Invalidation, the 2nd:

In the aftermath of the October 6 European Court of Justice (“ECJ”) decision invalidating the Commission Decision that put in place the EU-US Safe Harbor agreement that had been in effect for fifteen years, the EU and the US continue negotiations on a solution for the EU-US data transfers.

On 16 November, EU Justice Chief Vera Jourova gave an interview to the Wall Street Journal, in which she stated to be confident about coming to an agreement prior to the end of the so called “grace period” (i.e. the period during which Data Protection Authorities agreed not to take enforcement measures in the aftermath of the ECJ Safe Harbor judgment), ending on 31 January 2016.  Jourova stressed that “given the sense of urgency, which both [sides] understand — it [was] high time and …very useful and necessary that [the EU and the US] meet on the highest possible level.”

Items that are still under negotiation are those that the court had emphasized in its October 6 ruling]. However, Jourova is positive about things being achievable and negotiable. “Of course when you go to technical details, you see that we will still need some time. We are under huge pressure because we mean it when we say that we need to finalize this within three months. I would like to have it earlier for the sake of urgency and necessity to guarantee the legal certainty for the businesses.”

Adequacy: Norwegian Organisations Must Obtain the Authorisation of the DPA Prior to Conducting Data Transfers to the US

Safe Harbor Invalidation, the 3rd:

In the ongoing discussions about the future of EU-US data transfers after the October 6 decision of the European Court of Justice, the Data Protection Authorities of the Member States keep testing their newly discovered powers and independence.

The Norwegian DPA announced that it discourages the transfer of personal data to the US based on the consent of the individual alone, but rather recommends obtaining the DPA’s approval prior to conducting any transfers to the US.   But it seems that if the data transfers are based on the so-called “standard contractual clauses” recognized by the EU Commission, the approval of the DPA should be obtained.

The Norwegian DPA therefore follows the approach of many European DPAs who require an application for authorization, or at least a filing of the contract used for conformity check with the “Standard Contractual Clauses”.

Earlier, some German DPA’s also already declared that consent might only serve as a justification for data transfers “in exceptional cases.”