Category: Article

The UK Adequacy Decision and the Looming Possibility of a Schrems III

by Osal Stephen Kelly*

Introduction

In July 2020, the Court of Justice of the European Union (“CJEU”) delivered its judgment in the Schrems II case brought by the Austrian lawyer and activist Max Schrems, with far-reaching implications for data protection policy and practice. One question of particular urgency is what the consequences will be for the continued flow of personal data from the EU to the UK; while the EU-UK Trade and Cooperation Agreement temporarily allows these flows to continue on the same terms as between member states, this will end on 30th June 2021.  The purpose of this period is to allow for the EU Commission to determine whether or not to grant an “adequacy decision” that would confirm that the UK provides a level of protection essentially equivalent to that of member states, which would allow for these important transfers to continue indefinitely. While the Commission has issued a draft adequacy decision, some of the issues identified by the European Data Protection Board (“EDPB”) in its recent opinion on the draft expose frailties in these protections that could form the basis for a legal challenge in the future. It is submitted that there are two areas of particular vulnerability that would be key in any such challenge. First, there are serious unresolved questions around the powers of UK and US authorities to access data for security purposes. Second, the UK’s emerging post-Brexit constitutional and legal framework is likely to be somewhat less advantageous to data subjects vindicating their rights than was the case when EU law had direct effect.

Schrems II

Schrems II comes after another case brought forward by Mr Schrems who had already challenged the previous framework as well (Schrems I). The Schrems II case arose from a complaint concerning the transfer of his data from Facebook Ireland to Facebook Inc. (based in the United States). The complaint was made to the Irish Data Protection Commissioner and resulted in the Irish High Court making a preliminary reference to the CJEU. In its submissions, Facebook sought to justify these transfers as permitted by the EU Commission’s Privacy Shield decision, which set additional safeguards for data moving from the EU to the US.  However, the Court found that the Privacy Shield was invalid as the protections offered by US law did not in fact afford the required level of protection. The Court stressed the importance of “effective and enforceable data subject rights” (para. 177 of judgment) and found that data subjects did not enjoy such rights under the Privacy Shield. Particular emphasis was placed on the lack of limits on the power of surveillance agencies to collect data on individuals held by companies such as Facebook (para. 180). While the Court recognised that data controllers could in principle rely on standard contractual clauses approved by the Commission to allow cross-border data transfers to continue, it noted that such clauses did not necessarily protect data from unlawful access by the authorities of the receiving country (para. 141).

from jonesday.com

Schrems III?

Although the UK ceased to be subject to EU law from 31st December 2020, the GDPR has been incorporated (with amendments) into UK domestic law, in line with Section 3 of the European Union (Withdrawal) Act 2018. This amended version, referred to as the “UK GDPR”, now forms the basis of the UK’s legal framework for data protection, along with the UK’s existing Data Protection Act 2018 (draft adequacy decision, Recital 14), and this is the framework that was examined in the Commission’s draft adequacy decision, and, subsequently, the EDPB’s opinion, released on 13th April 2021. Although important, the opinion in itself is non-binding and the final decision on adopting the adequacy decision rests with the Commission, so it is likely to be approved.

The EDPB opinion, read in light of Schrems II, would require the UK’s intelligence operations to apply particular scrutiny over the compliance with the (EU) GDPR. While the tone of the opinion as a whole is very measured, the EDPB nonetheless expresses “strong concerns(para. 88 of opinion) over the data-sharing agreement between US and UK authorities pursuant to the US CLOUD Act. The Act requires US companies to disclose information stored on overseas-based servers on foot of a valid warrant. The EDPB notes that the Commission’s draft decision refers to non-binding “explanations that were provided to it by UK authorities (para. 88 of opinion). Critically, however, the EDPB notes that these explanations did not seem to comprise “any concrete written assurance or commitment” on the part of the UK Government. It is difficult to see how mere explanations without substantive legal force could be relied upon by data subjects in enforcing their rights, which is concerning, given that the existence of “effective and enforceable data subject rights” was deemed vitally important in Schrems II.

Moreover, para. 189 of the opinion highlights how broad the general exemption is for intelligence-related processing, stating that “national security certificate DPA/S27/Security Service provides that until 24 July 2024, personal data processed ‘for, on behalf of, at the request of or with the aid or assistance of the Security Service or’ and ‘where such processing is necessary to facilitate the proper discharge of the functions of the Security Service described in section 1 of the Security Service Act 1989’ are exempted from the corresponding provisions in UK law to Chapter V GDPR in relation to transfers of personal data to third countries or international organisations”.

This provision is similarly open-ended to Section 702 of the US Foreign Intelligence Surveillance Act, which had been considered not to afford a sufficient level of protection to data flows in Schrems II (para. 180 of judgment). If Part V GDPR (and equivalent provisions in the UK GDPR) does not apply to intelligence processing, personal data would be transferred to US authorities and thus fall within the scope of the Court’s ruling in Schrems II.

Given that the UK is no longer a member of the EU and subject to the jurisdiction of the CJEU, issues also arise in relation to the UK’s overall legal framework (para. 54 of opinion). The Commission has placed great emphasis on the fact that the UK will continue to be a party to the European Convention on Human Rights (“ECHR”) and thus of the “European privacy family” (press release accompanying the adequacy decision). However, while the set of rights listed in the ECHR are also included in the EU’s Charter of Fundamental Rights, in Schrems II the Court notes that the ECHR is not part of the EU law acquis (paras. 98, 99 of judgment). Furthermore, the UK Government will review the Human Rights Act 1998 which implements the ECHR in the UK. The review will consider whether courts have been “unduly drawn into matters of policy”. Given that the CJEU identified “effective and enforceable data subject rights” as key in determining whether a country provided an adequate level of protection (para. 45 of judgment), any dilution of the rights of citizens to invoke their ECHR rights would be likely to count against the UK in the event of a legal challenge.

Conclusion

The foregoing indicates that a credible case could be brought before the Court to challenge the validity of the adequacy decision in the future. On a practical note, data controllers can at least be reassured by the CJEU’s clarification in Schrems II that an adequacy decision enjoys, in effect, a presumption of legality until it is successfully challenged (para. 156 of judgment), and accordingly they should not incur any liability for data transfers while the adequacy decision remains in place, for whatever period that may be.

*Osal Kelly is a postgraduate Law student in the Law Society of Ireland in Dublin and holds an undergraduate degree in Philosophy from Trinity College, Dublin. He currently works in the Irish public service. This article is written in a personal capacity.

 

EU Data Protection in Trade Agreements

 

by David Scholte*

Practical solutions to a theoretical conundrum

After the implementation of the General Data Protection Regulation (GDPR) in 2018, the European Union (EU) has been striving to keep up the high standards of protection of personal data transfers of EU citizens throughout the world. In order to secure these standards, it has two powerful different tools at its disposal.

Tool number one is the ´adequacy decision´. The EU commission will ´determine […] whether a country outside of the EU offers an adequate level of data protection´.(European Commission, Adequacy Decisions) Adequate means comparable to the protection offered by the EU. If so determined, the cross-border data flow between the EU and the third country can take place unimpeded and without any further safeguards. Tool number two are data protection provisions in the trade agreements between the EU and third countries. (See art. 28.3(2)(ii) CETA, art. 8.3 JEFTA and art. 8.62(e)(ii) EU-Singapore FTA)

The EU is a prominent advocate of liberalising (digital) trade but will always vehemently protect its data protection standards; this is made explicit in the statement that ´the EU data protection rules cannot be subject to negotiations in a free trade agreement´. (COM(2017) 7 final)

Data protection clauses in previous trade agreements used to be sectorial provisions modelled after art. XIV from the multilateral ´General Agreement on Trade in Services (GATS). However, with the changeability of digital trade and with the implementation of the broad scoped GDPR, the EU´s view was that new provisions were needed.

´These horizontal provisions rule out unjustified restrictions, such as forced data localisation requirements, whilst preserving the regulatory autonomy of the parties to protect the fundamental right to data protection´. (COM(2020) 264 final)

In 2018 the Commission published horizontal draft provisions that it intended to include in future trade agreements. It is noted that the provisions modeled after the GATS article have always included the requirement of ´necessity’ and stated that any measure taken with regard to the protection of personal data must not be a ´means of arbitrary or unjustifiable discrimination [or] a disguised restriction´. However, the new provisions would be applicable throughout the agreement and, most importantly, do away with the conditions and limitations found in the old type of provisions.

There are no longer requirements that must be fulfilled before a measure with regard to personal data can be taken. The Draft provisions regarding data protection are as following:

  1. Each party ecognizes that the protection of personal data and privacy is a fundamental right […]
  2. Each party may adopt and maintain the safeguards it deems appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data. Nothing in this agreement shall affect the protection of personal data and privacy afforded by the Parties´ respective safeguards.
  3. Each party shall inform the other Party about any safeguard it adopts or maintains according to paragraph 2.
  4. For the purposes of this agreement, ´personal data´ means any information relating to an identified or identifiable natural person.
  5. For greater certainty, the Investment Court System does not apply to the provisions in Articles 1 and 2.
From briefingsforbritain.co.uk

Although the EU had proposed this provision in trade negotiations with Australia and New Zealand. the first agreement where this new type of rules has been fully implemented is the EU-UK Trade and Cooperation Agreement (TCA), albeit in a slightly different form.

  1. Each Party recognises that individuals have a right to the protection of personal data and privacy and that high standards in this regard contribute to trust in the digital economy and to the development of trade.
  2. Nothing in this Agreement shall prevent a Party from adopting or maintaining measures on the protection of personal data and privacy, including with respect to cross-border data transfers, provided that the law of the Party provides for instruments enabling transfers under conditions of general application for the protection of the data transferred.
  3. Each Party shall inform the other Party about any measure referred to in paragraph 2 that it adopts or maintains.

The compromise between the position of the parties reflects the difficulties in translating drafted horizontal provision into real negotiations. What is clear is that the all-encompassing, condition-less provision that the Commission had envisioned did not come to fruition. In the first paragraph data protection is no longer a fundamental right, something that is striking among purists and puts the protection of data legally on a lower pedestal than if it would have remained a fundamental right.

Moreover, in the draft provision, paragraph two gives both parties full authority over the adoption of safeguards, with no conditions attached. In contrast, the adopted TCA’s provision is worded quite differently: ´nothing in this agreement shall prevent […] provided that´ instead of ´Each party may adopt´. This gives the paragraph a negative wording with again some conditions attached. It bears a resemblance to the GATS article meaning that it would not be without conflict and possible dispute. (WTO Analytical Index, GATS – Article XIV (Jurisprudence))

Because of the transition period, under the agreement data flows are still unrestricted as long as the UK continue to apply the data protection rules, based on EU law (EU-UK Agreement part seven, Article FINPROV. 10A(4)). Moreover, with a pending adequacy decision, a large differentiation between the UK and EU data protection is not likely to arise. When the data protection in the UK is deemed to be adequate the article will become moot.

However, this quite substantial modification from the original proposal by the EU does show that the EU might be flexible on the wording of such rules. In the TCA case, the EU position is explained by the special and interconnected relationship with the UK, a European country and a former Member State. Nonetheless, it is interesting that the EU Commission did accept different draft provisions, although it had defiantly stated that those provisions would not be subject to negotiations.

In the future the EU will strive to include such horizontal provision in all future trade deals. Indeed, in the trade negotiations with Australia and New Zealand the provisions proposed are again mirroring the draft provisions. With New Zealand already having received an adequacy decision from the Commission, the question remains if a horizontal provision is a priority for both parties. Considering New Zealand’s ´culture of compliance´ (Henning, 2020) data protection will not be a major hurdle and one can expect the horizontal provision to be included in the upcoming EU-New Zealand trade deal without significant amendments.

For countries without this close connection to the EU data rules, such as Australia, the inclusion of such broad horizontal provision could be problematic. Third countries have the reasonable worry that such blanket exception could be used for ´otherwise unjustifiable IT and data localization requirements´. (Yakovleva & Irion, 2020, 219)

The provisions in the Australia and New Zealand deals will give a clearer idea on what these new horizontal provisions mean for EU trade negotiations and deals. It seems however that the Commission’s position on the matter is far more practical and reliant on adequacy decisions, thus unilateral, than it presents to be at first glance. The full regulatory autonomy that the EU strives for has not been achieved in the TCA and will thus most likely not be achieved in future trade deals. A missed opportunity.

 

*David Scholte is a Junior Lecturer in EU Law at Utrecht University, the Netherlands. He is also currently pursuing a Master in International Relations at Leiden University.

EU Travel: The EU’s Package Travel Directive and COVID-19

by Robert Babirad *

 

 

I          Introduction

The unexpected cancellation of a long awaited, pre-paid vacation is nothing to joke about.  Naturally, if this happens and particularly during these turbulent times, the next question is how does one obtain a refund?  Secondly, under what conditions is this even possible and especially given the current global pandemic?  In November 2015, Directive 2015/2302/EU on Package Travel and Linked Travel was enacted. In light of the recent Coronavirus pandemic, guidance was again recently issued on current interpretations of this Directive and particularly with regard to how it will impact today’s travelers within the European Union.

 

II         The Package Travel Directive

The Package Travel Directive aims to enhance the European Union’s internal and single market performance. This is expected to occur through attaining, to the highest degree possible, a “uniform” and “high” degree of protection for EU consumers with regard to those contracts executed between both merchants and travelers and “relating to package travel and linked travel arrangements. The Directive aids in the “approximating” of the various laws pertaining to packaged travel across the EU’s Member States, as well as to particular aspects of their respective regulations, laws and those provisions that govern the administration of this area.

Harmonisation in consumer protection through legal approximation across the EU is the overarching objective of this Directive.

 

III       Cancellations and Refunds

Throughout the European Union, the governments of the Member States have been and continue to be, enacting measures, which have the intended objective of reducing the continued proliferation of the COVID-19 virus. One example is the introduction of the tier system in the UK.  A system of three tiers has been implemented in order to limit an increase in the infection rate. These three tiers range from Tier One at “Medium Alert” to Tier 3, which is classified as a “Very High Alert” area. These labels are based upon where the infection rate is the greatest and contain varying levels of restrictions. An example is that of not being permitted to “socialise in a group” outside publicly with more than six people with whom you regularly reside or whom are not included within your regular “support bubble. These actions have additionally extended beyond border controls and internal, national restrictions, to the overall limiting and restricting of travel both within the EU and from abroad. Travel is regulated on a Member State basis throughout the EU. As a result, the measures that have been enacted in the fight against COVID vary widely based on the country that is implementing them.   In other words, each country within the EU is implementing their own restrictions on where and with how many people you may socialize, testing requirements for the virus, where a mask is required and what an individual has to do if they want to travel to another location within the same country or abroad. At the EU level, it is the Directive on Package Travel and Linked Travel Arrangements that provides overall guidance to those impacted by unexpected cancellations of pre-booked packaged holidays.  This Directive acts as a unified means of providing consumer protection despite the new restrictions and limitations being introduced by the Member States individually at the present time.

Article 12(2) of the Package Travel Directive states that prior to the start or execution of a purchased travel package, the traveler may terminate the contract and receive a full refund, as well as not be responsible for incurring any termination fees, if certain conditions are met. These conditions are namely “unavoidable and extraordinary circumstances occurring at the place of destination or its immediate vicinity,” and which are “significantly affecting the performance of the package,” or those which “significantly affect the carriage of passengers to the destination. The concept of that which “significantly” impacts the “performance of the package” is somewhat ambiguous and seemingly open to varying interpretations.  The definition of significance remains unclear.

However, trips may be cancelled without any penalty to the organiser, where that entity is unable to execute the contract between the person booking the trip and the entity offering the package, and where these “unavoidable” and “extraordinary circumstances” exist. Similar protections exist on the consumer side as well.

 

IV        Undue Delay

It is of interest to note that the Directive also requires that travelers who booked the package be notified promptly and without “undue delay” and prior to “the start of the package” if the organiser cancels the trip. The Directive does not clarify the interpretation of “undue delay” in the notification to the consumer.  Therefore, the scenario is possible where the seller of the travel package already has knowledge of restrictions or limitations that have been or are about to be imposed by a national government, because of the Corona Virus.  Perhaps, in not wanting to lose their profits, the merchant holds off on informing the consumer, with the hope that the restrictions will soon be lifted or invalidated and the package will not need to be cancelled.  How long would constitute “undue delay” in informing the consumer in a scenario such as this?  Unfortunately, the Directive fails to provide meaningful guidance to the consumer in this regard.

 

V         Unavoidable and Extraordinary Circumstances

Article 12(2) of the Package Travel Directive permits travelers to be free of any penalty when cancelling a package trip as well, where the condition of “unavoidable and extraordinary circumstances” is present “at the place of destination or its immediate vicinity. The guidance which has recently been provided in light of the Coronavirus pandemic suggests that these circumstances entail a situation in which the traveler faces that which is beyond their control, and the results of those same circumstances were unable to be prevented by the consumer. This is in spite of taking of all “reasonable measures. The question is then raised as to what “reasonable measures” does the traveler need to take in order to be free of cancellation penalties for their package trip where there are “unavoidable and extraordinary circumstances” present?  It seems obvious that in most cases, there would be nothing that the traveler would be able to do, where, for example, the virus is present in a Member State and travel is otherwise blocked.  However, what situation would require “reasonable measures” to be taken by the consumer and what would those entail for purposes of meeting the criteria under this aspect of the Directive?

 

The information provided is helpful in that it states that COVID-19, another disease, or some other substantial health risk at the intended place of travel in the booking, would satisfy the criteria of constituting situations which are “extraordinary” and “unavoidable. On this, the Directive and the guidance recently provided is clear.  In other words, if the virus is present and travel is being blocked by national authorities upon your arrival in another EU nation, there is nothing more that you can do as a traveler.  This would be a situation considered “extraordinary” and “unavoidable” and there are no further “reasonable measures” in this regard that need to be taken by you.

Additionally, a traveler can employ the use of a national warning related to their travel, as a possibly effective strategy for demonstrating that there has been a circumstance, which is “extraordinary” and “unavoidable” and would justify them or the seller of the package in cancelling the contract, because of the impact on the actual trip’s execution. In other words, a national travel warning could be enough to constitute the “extraordinary” and “unavoidable” criteria necessary for fulfilment of the Directive and obtaining a full refund.

The guidance provided does also state that if the package travel contract cannot be executed, because of the authorities in a Member State prohibiting a certain type of movement or travel, this indeed would meet the criteria of circumstances, which are otherwise considered “extraordinary” and “unavoidable. Limitations enacted by an official authoritative body in a Member State relating to your trip, such as an attraction being closed, are also in all likelihood, qualifying measures that enable a package travel purchase to be effectively cancelled by the operator or the traveler.

 

VI        Significantly Affecting the Package’s Performance

However, there is room for discretion and ambiguity in determining whether the circumstances actually constitute having an impact on the execution of the travel package and to the degree that a court would consider these to be “significant” enough for purposes of the Directive. There is a definite lack of clarity in this regard, and the Directive has in all likelihood been left purposefully vague and ambiguous here in order to allow each national court to make an assessment and interpretation that is specific to the circumstances.  However, although seemingly done intentionally, this wording still leaves a certain degree of confusion on the traveler’s behalf.

Interestingly enough, fear is also not enough for a refund.  If a traveler feels a sense of fear toward going to a destination in their package travel arrangement, this will not be adequate enough for a traveler to cancel their package and receive a full refund.[i]  Instead, there must be a determination based on reasonableness in the context of potential life and health risks with regard to the decision as to whether travel to the place(s) in the contract would merit cancellation and entitle the traveler to a refund. If this situation is found to exist, the traveler or the purveyor of the package retains the right to cancel.

After the contract is cancelled, there will also be a period of fourteen days in which the traveler may receive a refund for their package travel purchase.

Vouchers for taking the trip at a later date may also be issued to travelers in lieu of a refund.  However, there is also a lack of clarity here with regard to the possibility of a refund for a voucher that is not used or cannot be used within the time allotted.  In all likelihood, the voucher itself would be issued under a separate contract with its own terms, conditions and refund policy and therefore not pose a problem under the Directive.  This does not appear to be a cause of concern to the prospective traveler, but there is little guidance regarding vouchers otherwise given in this regard.

It is advised though that travelers should be open to accepting that their packaged tours are postponed until sometime in the future, because of the “strains on liquidity of tour operators,” which has resulted in them being burdened with claims for reimbursement and “missing new bookings. Travelers are encouraged to consider the possibility of accepting these vouchers or “credit note(s),” as long as the possibility remains of a full refund if the voucher is not ultimately used. The universal “uncertainty” surrounding travel arrangements is acknowledged and vouchers are offered as a potential option with the final possibility of a refund if needed by the traveler.

 

VII      Traveler Assistance

The operator of a booked tour is required to provide travelers with assistance if they encounter blocks while on their trip and outside of their own respective Member State. This is particularly relevant given the rapidity of the changing situation regarding restrictions, quarantine and other limitations being imposed on a day to day basis under the current global pandemic.  Health service information, as well as information regarding consular and help from regional authorities must be provided by the operator of the tour, to a traveler encountering challenges on their trip.

If a traveler is unable to return from their packaged tour, because of circumstances which are “unavoidable” and “extraordinary,” the operator of the tour has additional responsibilities. They must pay for the stranded traveler’s accommodation for up to three nights where the traveler’s transport back home was included in the pre-purchased travel package’s cost.

If the authorities in a locale that one travels to require the traveler to go under quarantine, and as a result, that individual does not make their flight back home, there are options. The national rules of the respective Member State in question, with regard to the quarantine, may enable the traveler to make a claim for repatriation and greater accommodation costs.

 

VIII    Conclusion

 The recent guidance is helpful regarding when a traveler with a pre-booked package trip may seek a full refund under EU law.  This is especially useful in light of the current global pandemic.  However, there are still vagaries that remain leaving a degree of uncertainty as to whether a consumer is eligible for a full refund of their trip from a vendor with regard to EU law.  This is particularly true with regard to “unavoidable and extraordinary circumstances” under the Directive, as well as with regard to the consumer’s responsibility to take preventative measures, which are considered reasonable.  Additionally, a travel package’s performance being “significantly” impacted remains open to varying interpretations.  Finally, the “undue delay” responsibility on the part of the vendor of the package emerges as clear and uncertain with regard to consumer protection and their respective rights under the Directive.  In summary, there are positive aspects of the Package Travel Directive and its unified approach across the Member States, particularly with regard to the current Coronavirus pandemic.  However, there are aspects under the Directive that even with the current guidance, which has been provided, remain uncertain and vague for consumes of travel packages within the European Union.

 

Robert Babirad holds a Masters in European Union Law from King’s College London and is the author of an upcoming, non-fiction travel memoir titled: In-Transit Passenger: Making the Journey Matter coming out in the Spring of 2021.

Can Legitimate Interests Ground Justify Web-Scraping of Personal Data for Direct Marketing Purposes under the GDPR?

by Ali Talip Pınarbaşı, LLM

 

WHAT IS DIRECT MARKETING? HOW IS WEB-SCRAPING USED FOR DIRECT MARKETING?

 

As grabbing the attention of the customers became harder by  digital advertising, reaching out to customers directly has become more vital for businesses. Examples of such  direct communication includes cold-calling, cold-emailing, postal mail and point of sale marketing. All these methods constitute direct marketing.

The distinguishing feature of direct marketing is that the prospective customer does not initiate a communication; the first step is taken by the seller and the seller usually calls on the customer to take a certain action such as subscribing to newsletters or making a purchase.

Every direct marketing campaign, be it via email marketing or telemarketing, requires access to vast amounts of contact data of customers such as e-mails and phone numbers.

However, such contact data does not magically appear on the databases of the marketers, so they need to extract such data from various sources including websites and online directories.

This is where the web-scraping methods come into play: web-scraping is a technology used to extract the contact details of individuals from websites and online directories. Following the extraction of these data, the marketers then contact individuals to promote their products/services.

For example, an insurance company may want to advertise its new car insurance product to people who have been in car accidents before. To send e-mails or make calls to those people, the insurance company will have to collect the contact details of these individuals. This company can use web-scraping technology to collect their contact details.

 

LEGITIMATE INTERESTS CAN BE THE LEGAL BASIS FOR SCRAPING OF PERSONAL DATA FROM THE WEB FOR DIRECT MARKETING PURPOSES

When the data-controller extracts personal data from the websites or directories, it is likely that she does not have the consent of the data subjects. Therefore, data controllers must justify their scraping activity under another lawful basis for processing of personal data, which will inevitably be the ‘legitimate interests’ basis.

However, it is quite common to come across an article on the internet which posits that GDPR completely prohibited web-scraping and unless there is consent, the processing is unlawful and will lead to hefty fines.

One recent example supporting this prevalent view is French Data Protection Authority’s(CNIL) guidance which rejected the possibility that legitimate interests can justify scraping of personal data. The reasoning behind this position is that data subjects do not expect to receive direct marketing communications from a third-party data controller when they share their personal data with a data controller.

In other words, the Guidance rejects the reliance on legitimate interests ground to justify we-scraping based on one single criteria: the expectations of the data subject.

However, as will be explained below, legitimate interests assessment cannot be reduced to a single determining criteria because it requires taking into account all factors and circumstances.

The following reasons demonstrate why the legitimate interests ground can be used to justify web-scraping.

 

  1. Scraping of personal data from the web is a separate processing activity subject to GDPR and it is distinct from the direct marketing activity itself.

 

Consider a data controller who scrapes personal data from the web and then use this data for direct marketing purposes such as sending cold e-mails to individuals. In this scenario, both the scraping activity and cold e-mailing are two separate processing activities subject to GDPR, and both have the same purpose: direct marketing.

As the scraping of personal data is done for direct marketing purposes, GDPR’s rules for processing of personal data for direct marketing purposes should apply to this scraping activity.

Recital 47 of GDPR states that “[t]he processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”

Considering the GDPR’s approach, rejecting the reliance on legitimate interest ground to justify web-scraping for direct-marketing purposes seems like a bizarre result which does not align with the wording of GDPR.

 

  1. Data controller has the discretion to conduct legitimate interest analysis to justify web-scraping, GDPR does not categorically exclude web-scraping of personal data.

 

Stating that the web-scraping can only be justified on the basis of consent makes web-scraping activities completely illegal under the GDPR, as the consent is almost practically impossible to obtain in web-scraping activities. In other words, rejecting the reliance on legitimate interests means prohibiting a data processing activity that the GDPR did not prohibit.

To the contrary, GDPR explicitly states that processing of personal data for direct marketing purposes can be lawful based on legitimate interests. If the purpose of a web-scraping activity is direct marketing, then it does not make sense to say that consent can be the only lawful basis to justify the scraping activity.

Therefore, the data controller should be able to rely on legitimate interests basis to justify its web-scraping activity.

This of course does not guarantee that the web-scraping activity will be considered lawful in every circumstance. Web-scraping activity can still be unlawful if the conditions for legitimate interests are not satisfied.

Since we established that legitimate interests can justify web-scraping, now let’s look at how it would be applied in practice.

 

APPLYING THE LEGITIMATE INTERESTS TEST TO WEB-SCRAPING FOR DIRECT MARKETING

Legitimate interests test requires a balancing exercise where the interests of the data controller will be weighed against the rights and freedoms of the data subjects. While doing this balancing exercise, all factors and circumstances should be taken into account.

This balancing exercise can be exercised by applying a three-step test:

  1. What are the legitimate interests of the data controller ?

In such a competitive business environment, reaching out to potential customers to promote  its products and services are vital for every business.  Therefore, collecting the contact details of individuals to contact them for direct marketing purposes serves the commercial interests of the data controller. Two examples can be given for these commercial interests.

Firstly, web-scraping for direct marketing purposes cost far less compared to traditional marketing methods or running ads on digital media platforms. This is particularly true for small and medium-sized businesses which have a very limited marketing budget and have difficulties in reaching their target customers.

Secondly, web-scraping can be effective in finding a specific group of customers who might be more likely to engage with the business. For instance, web-scraping can help the business market its products/services to a particular group of people who belong a certain age group or who live in a specific region.

  1. Is web-scraping necessary?

This step require investigation into whether there are less intrusive ways to achieve the goal of marketing.

This will vary depending on the particular industry in which the business operates and the availability of other methods to reach customers as well as the impact on the privacy of the data subject.

For instance, if the data controller is planning to promote its farming equipment to farmers by cold e-mail or cold calling after scraping their contact information, this may pass the necessity test because this may be the most convenient way to reach the customer. This may be because it is almost impossible to reach the farmers on traditional media outlets or by running ads on digital platforms.

  1. Does individual’s interest override the interest of the data controller ?

This step requires a balancing exercise between the two sides. Following factors should be considered in this weighing exercise:

-If the potential privacy impact of the web-scraping on the individual is high, this may tip the balance in favor of unlawfulness of the web-scraping,

-Sensitive character of data,

-Reasonable expectations of the customer,

-Degree of intrusion of the processing.

Depending on the specific circumstances of the case, the result of the balancing exercise will differ.

For instance, let’s imagine two different scenarios where the personal data are scraped from the web for direct marketing purposes.

Scenario 1: Company A scrapes the e-mail addresses of thousands of high school students to promote its math course materials to them via cold emailing. However, it takes appropriate security measures on the data such as encryption and pseudonymization and does not share this data with third parties. Furthermore, it does not send spammy e-mails to each person, but it only selects a small number of relevant students to promote its products.

Scenario 2: Company does the same scraping activity as company A, but it does not apply the relevant security measures and shares the scraped data with third parties.

Comparing these two scenarios, it is crystal-clear that the privacy impact of the A’s scraping activity is almost minimal on individuals whereas the B’s scraping is likely to expose the personal data of the data subject to high-risk.

As can be seen, every web-scraping for direct marketing purposes has different implications on individuals and justifying them on the basis of legitimate interests requires a case-by-case analysis.

CONCLUSION

Legitimate interests ground can justify web-scraping of personal data for direct marketing.

While doing the legitimate interests analysis, all factors and circumstances should be taken into account such as privacy impact on the individual, commercial interests of the web-data controller and necessity of web-scraping instead of just focusing on one criteria such as expectations of individuals.

 

About the author

Ali Talip Pınarbaşı is a Legal Consultant based in Istanbul. He provides legal consultancy services on IP Law and Data Protection Law. He completed his LLM Degree in King’s College London, specializing in IP&IT Law.

Mental healthcare and prevention of suicide should be the first priority of EU Member States after the (first wave?!) 2020 Coronavirus pandemic

Dr. Andraž Teršek, Professor of Constitutional Law

 

  1. Introduction

 

The central purpose of this essay is to, once again, raise the general importance of mental health and suicide. Or, by other words, to once again address the importance of the awareness of general public in EU member States regarding mental health and the problem of suicide. And to at least partially cut off the edges of the stigmatization that is more than obviously still stuck to any attempt at serious and all-inclusive public debate on these issues. At least in my experience.

 

These two questions, or rather “problems” of the today’s society must be understood as the core of public health systems. On national, international and global scale. Especially, this should be particularly emphasized, after the Coronavirus pandemic in the first part of the year. But also because, or especially because the worldwide medical community express most serious concerns and alerts the public it was only the “first wave” of the pandemic which we have just witnessed.

 

One of the most obvious and most harmful consequences of the pandemic was and still is fear, public fear. In combination with loneliness and anxiety, it is fear that further contributes to people’s depression and depressive disorders. Which still too often lead to suicide attempts or even and most tragic – to suicides. Therefore, it was expected when psychiatrists and psychotherapists addressed the public with the information that the mental health problem increased and intensified during the pandemic. Especially in those EU member States where strict quarantine was commanded by the government decrees. Slovenia being one of those States.

 

As a constitutional scholar I have been trying to modestly contribute to such awareness in my homeland, Slovenia, one of the smallest EU member States. I am not satisfied with the effect of my effort. Especially since these two topics are almost neglected in the domestic legal community. This essay represents my determination to continue in trying to positively contribute to the motivation of fellow lawyers to work in greater numbers, more extensively and with lasting determination to increase the quality of the public health system, while at the same time improving the quality and effectiveness of joint mental health care and suicide prevention (not only in Slovenia but) in EU member States. It is not only a question regarding fundamental human rights to health, healthy environment and human dignity. It IS a question about life and death, living and dying.

 

But there is also another, personal reason for this essay…

 

2. In Memory of prof. dr. Andrej Marušič

 

Prof. dr. Andrej Marušič (1965-2008) was my friend. He was a psychiatrist and psychologist, whose work represents an important contribution to the progress in the field of public mental health in Slovenia and worldwide. He has studied Medicine and Psychology in Ljubljana, pursued his postgraduate education mainly in England, where he acquired Doctoral Degree in Psychiatry. As an assistant professor he lectured at the Maudsley Hospital in London and he was the National Coordinator for Mental Health at the World Health Organization (WHO). His particular investigative interest was Suicidiology. He took over a leading function in one of the sections of the International Association for Suicide Prevention (IASP). In 2002 he became the director of the Institute of Public Health of the Republic of Slovenia. He was especially devoted to investigative and clinical work aimed at improving the mental health of an individual and society as a whole. He became the Head of the Health Research Department at the University of Primorska, where he successfully coordinated and completed several national and European research projects focusing on various psychiatric and public health topics. He founded and led his own Health Trust named ‘Healing‘. His rich bibliography includes numerous internationally indexed primary articles from the field of Psychiatry and related disciplines. He was honoured with two international prizes for his research achievements. He was one of the most influential activists for the destigmatization of mental disorders in Slovenia.

 

Andrej’s intelligence, particularly the emotional one, his love and determination for humanity and his intuition enabled him to understand legal concepts and the logic of legal reasoning better than most of the lawyers or even legal experts I have ever met. Personally and professionally it was a privilege to be a part of his intellectual and scientific attention.

 

Professor Marušič invited me to join his team and to use the constitutional law, legal philosophy and legal theory as a tool for policy making and policy developing regarding public health, mental health and the problem of suicide. We were planning a research and postdoctoral study programme Law and Suicidiology. Soon after he got cancer and after several months of struggle and pain the unforgiving illness overcame his strength and his will to live.

 

This essay is a small contribution to Andrej’s professional legacy and a small reflection of my commitment to staying focused on the topic discussed here.

 

3. The Seriousness of Mental Health problem in Europe

 

Mental health is considered to be one of the biggest and most serious health problems in Europe, especially (according to the statistical data) for the last decade.[1] (Note: it is a serious problem in Slovenia also, putting my homeland near the top and in some recent years even on the top of the list of EU member States with the highest rate of suicides per capita). Slovenian and European public still awaits the information how many cases of suicide and suicide attempts were there during the Coronavirus pandemic. But it is already clear: the problem of mental health increased and the assumption it will increase even more seems to be a matter of logic.

 

During the pandemic living conditions were hard to bear and damaging for people with depression, depressive disorders or other mental health problems. Especially since constitutional rights to freedom of movement and socializing were limited (In Slovenia by government decree, prohibiting movement across the municipal borders without special and officially confirmed reasons.) Socializing was limited, in most of the EU member States quite strictly. (In Slovenia even sitting on benches in parks, streets and even in the natural parks and even on the edge of the woods was prohibited.) Even though “the state of emergency” was not officially declared in all of the EU member States (the Slovenian Constitution explicitly determines, by Art. 92, the conditions for such declaration and those conditions were not fulfilled), the exceptional circumstances of public life had an effect as if it has been declared. (Slovenian citizens were living in de facto quarantine.)[2]

 

4. The problem of Fear

 

It soon became obvious people all over the Europe are quite frightened. And they seem to be even more frightened as days went by.[3] For most of the time politicians were the ones addressing the public. They took up most of the space and time in the media. According to the daily TV media programs in some EU member States a little more, in others a little less. Doctors, other medical staff or medical scientists were, such was the impression, in the second or third plan. Not only the politicians, even the WHO was using words, such as “combating the Coronavirus.[4] As if it was the time of war.

 

In most of the EU member States and most of the time (once again, such was the impression due to the daily TV media programmes and government PR-conferences) the public was addressed with pure statistical data: how many people have been tested for CIVID-19, how many of those were positive and how many people daily died –presumably just from virus. Broader context was rarely offered to the public: information about the age of those who were infected, their other diseases, possible terminal illness… By doing so people, especially the elderly, were even more frightened.

 

This fear won’t go away with the officially proclaimed end of the Coronavirus pandemic. (Such proclamation came first in Slovenia, Austria and Hungary came second. It has been suggested other EU member States will do it in the second part of June, combined with the opening of the national borders inside the EU.) And this fear won’t go away easily. It is a legitimate concern it will become a new epidemic. In EU member States who already declared the end of pandemic some citizens are still wearing masks when waking down the streets, driving cars, even exercising in nature (same goes for Slovenia). Even though the pandemic officially ended, even though the WHO did not advise that masks should be worn from the start of the pandemic, and even though medical experts and other professionals strongly oppose wearing masks (but the latter did not respond until after the official end of the pandemic). There are no reasonable indicators it won’t be the same or even worse in other member States where pandemic will officially end much later. People are scared and will remain to be scared.

 

5. The Right to be Protected from Fear

 

Every single individual, every member of the society, every human has the right to be protected from fear – by the State. I claim it is a fundamental human right.[5] Also in its connection to the right for the protection of health, clear environment, natural heritage and human dignity. To be protected from fear, to be protected from mental health damages and to be protected from social reasons for committing suicide are issues which come hand in hand with the positive obligations of the State regarding fundamental human rights, listed in the ECHR, and fundamental constitutional rights and liberties, listed in national Constitutions (also determined by the Slovenian Constitution). This right should be again and again explicitly recognized, addressed and emphasized as a fundamental human right inside the scope of the EU legal order. Not in spite of, but precisely because of the experience of the 2020 Coronavirus pandemic.

 

6. The Short-Term Priorities of the EU

 

Slovenia, as an example of the EU member State, has a National Resolution for facing the mental health problems.[6] But in recent years the forecasts and commitments written in that document basically remained a status of “pure words written on paper,” with no effective and determined, not to say responsible execution in social practice. Even a special Act on Mental Health was enacted, in late 2008, publicly introduced as an appropriate legal framework covering the problems of mental health of individuals and of the Nation. Bit this statute is nothing special. Most of the provisions concern general principles already known and written elsewhere, with addition of the provisions transcribed from the Constitutional Court judgement (No. U-I-60/03) determining fundamental right of individuals who are posted, by doctors or by court decisions, to Psychiatric Hospital for treatment. The documents review of the European Commission regarding mental health of the of citizens of the EU member States shows quite similar picture.[7]

 

In the EU member states the systemic arrangement of the mental health problem remains insufficiently effective. The deficit of professional staff, funds and special capacities remains obvious. Inside the frame of public health system and institutions, which I strongly consider to be a legal and political priority in the near future, this problem must not be ignored or put aside as secondary or even less important.

 

7. Legal Foundations for Further Deliberations

 

In the next months and years special concern should be given to the analysis, interpretation and synthesis of some of the essentially legal and constitutional (not only medical, ethical, philosophical and sociological) questions and problems, directly connected with mental health and the problem of suicide. Mental health and suicide should be fully and publicly addressed as legally relevant phenomena. A constitutional principle of “social state” must be politically and legally strengthened, not weakened. Socially responsible political community (as the EU was supposed to be) may not disregard the issue. Substance and scope of fundamental rights and freedoms closely connected with mental health and the suicide represent special, the most intimate relationship between the State and individual, so the positive nature of fundamental human and constitutional rights must be safeguarded with more effort of the State and its institutions, not with less effort. In this regard the EU Administration must play its part: as a legislator and as a supervisor over the implementation of political commitments and legal duties of the EU member States regarding the public health system, the protection of mental health and the prevention of suicides.

 

8. Work to be done

 

Legal aspects of mental health and the suicide problem represent a subject with quite a deficit in respect of scientific research and evaluation. The analysis of the EU institutions and committees regarding mental health confirm such evaluation. This presents us with necessity to make determined and sufficient steps forward. The model of modern constitutional democracy and the constitutional doctrine of positive obligations of the State enable and demand new approach to legal aspects of mental health and suicide. Some new and legitimate expectations towards legal policy and constitutional obligations of the State have to be made. A comprehensive legal and constitutional analysis should fulfil the gap in national and international prospect. All the relevant potentials of legal theory and legal practice should be determined and used for the purpose of reducing the number of cases of suicide and mental illness present in current social life. Success of this research could enable EU as the “political and legal community” to be progressive in evolving public programmes of mental care, psychotherapy, nursing, preventing suicides and palliative care.

 

The legal community in the EU member States should be deeply involved in forcing the States to do much more in this context as it has been done in previous years. The EU should use common legal order and policy making process to put the EU member States and the daily politics of the member States under an effective control of responding to their legal duties and exercising their ethical, legal and political responsibility regarding mental health and suicide. I consider this to be among the absolute legal and political priorities of the EU legal policies in the next two to five years. Lost time in this regard needs to be made up quickly, with increased awareness, responsibility and efficiency. So I call upon the EU member States legal community for its special and increased attention and effort to face this problem.

 

The author

Dr. Andraž Teršek,

Professor of Constitutional Law,

Faculty of Education, University of Primorska and European Faculty of Law, New University

 

 

References

[1] See, for example: The European Mental Health Action Plan 2013-2020. WHO. Regional office for Europe. Copenhagen, Denmark, 2015: Available at: https://www.euro.who.int/__data/assets/pdf_file/0020/280604/WHO-Europe-Mental-Health-Acion-Plan-2013-2020.pdf  (10. 6. 2020); The State of Mental Health in the European Union. Health & Consumer Protection. Directorate – General. European Commission.  2004-2012. Available at: https://ec.europa.eu/health/ph_projects/2001/monitoring/fp_monitoring_2001_frep_06_en.pdf  (15. 4. 2020)

[2] Living conditions were the most strict in Belgium, France, Germany, Hungary, Italy, Poland and Spain. See: States of emergency in response to the coronavirus crisis: Situation in certain Member States. Available at: https://www.europarl.europa.eu/thinktank/en/document.html?reference=EPRS_BRI(2020)649408 (1. 6. 2020)

[3] In Slovenia another problem became obvious: hostile disposition towards each other was on the rise. Too many people behaved as they were the police, the surveillance agents towards each other, taking photographs and video recordings of their neighbours and strangers, presumably breaking the government decree not to stand too close to each other when having a conversation, not to socialize in groups of more than five people, not to cross the municipal borders on foot, on bikes and with cars, not to sit down on benches in parks, not to throw balls in basketball playgrounds etc. Too many of them were sending such material to the police. Slovenia almost became a Police State: not because of the police (who did a good job during the pandemic), but because of the “puritanical” character of too many individuals.

[4] See: WHO Campaigns/Connecting the world to combat coronavirus.

Available at: https://www.who.int/campaigns/connecting-the-world-to-combat-coronavirus

[5] Let me just remind ourselves of the Universal Declaration of Human Rights, the Atlantic Charter and the Philadelphia Declaration, which marked the end of the II. world war and announced a new world social order. And in particular of the European Social Charter. All these international legal documents address this right – as a fundamental human right.

[6] Resolution on the National Mental Health Program 2018−2028. Available at: http://www.pisrs.si/Pis.web/pregledPredpisa?id=RESO120&d-49681-o=2&d-49681-p=1&d-49681-s=2  (5. 6. 2020)

[7] See footnote No. 1.