25. October 2016
After a meeting of the Article 31 Committee, the European Commission disclosed two drafts concerning the implementation of amendments to the existing adequacy decisions and decisions on EU Model Clauses.
First of all, adequacy decisions determine whether a third country provides adequate safeguards in order to protect personal data. These decisions are made by the Commission after an assessment of the national laws and international commitments in terms of data protection of the respective country. In the following, countries which are established to be adequate are added to the Commission’s “white list”. Therefore, data transfers can be made from the EEA to that country without any further legal requirements.
The opinion concerning these amendments is divided. Some European Member States which participated at the Article 31 Committee meeting were for implemnting theses amendments. However, other European Member States requested more time in order to consider the proposed changes.
Due to this conflict another meeting has to be scheduled to which the Article 29 Working Party will be aksed to contribute by presenting its views on the respective changes.
24. October 2016
Since the ECJ established the right to be delisted from search engines (right to be forgotten) in 2014, Google has received numerous requests from individuals and organizations regarding the deletion of search results that contain their personal data which is not any more current, correct, relevant or which causes damages to the data subjects. The right to be forgotten refers to certain domains, such as co.uk; fr, de, es or nl.
However the French DPA requested Google to delete these results from all Google search domains (including .com). As Google did not fully comply with this request, the French DPA (CNIL) imposed Google a fine early this year.
As the French Highest Court has still to decide about this, Wikimedia, the parent company of Wikipedia, filed a petition in order to take part in the case and support Google France regarding the ongoing dispute about implementation of the “right to be forgotten”. Wikimedia’s legal counsel said in a statement that “no single nation should attempt to control what information the entire world may access”. Furthermore, she added that the application of the right to be forgotten involves the disappearance of several Wikimedia websites, which has an impact on the availability of knowledge.
Not only in France, but also in other jurisdictions is Google facing similar processes regarding the application of the right to be forgotten.
… The reality is that our communications are under constant threat from cybercriminals and spying by state authorities. Young people, the most prolific sharers of personal details and photos over apps like Snapchat, are especially at risk,” concluded Sherif Elsayed-Ali, the head of Amnesty International’s Technology and Human Rights Team, after ranking 11 of the most popular messaging apps in a Message Privacy Ranking.
In this ranking, both Snapchat and Skype received some of the lowest scores. Snapchat only got 26 out of 100 on the organization’s scale, whereas Skype received 40 out of 100. This is due to the fact that end-to-end encryption is not used, although it is highly recommendet to do so, according to Amnesty.
The report explaines that “The apps were marked on their use of encryption and privacy safeguards, as well as how well they advised their users of the app’s security, and whether they released details of government requests for user data.” Furthermore, Sherif Elsayed-Ali stated that “It is up to tech firms to respond to well-known threats to their users’ privacy and freedom of expression, yet many companies are falling at the first hurdle by failing to provide an adequate level of encryption”.
Therefore, it is to note that although they are the world-leading messaging applications, Skype and Snapchat are among the least secure on the market, according to Amnesty.
20. October 2016
The European Court of Justice clarified the definition and the scope of personal data.
The original case, known as the Breyer case, concerned the issue whether dynamic IP addresses are personal data within the meaning of Article 2(a) of Directive 95/46/EC. The European Court of Justice now ruled that IP addresses can be seen as personal data although the information may have to be sought from third parties in order to identify the data subjects.
In detail, the European Court of Justice concludes:
- According to the approach adopted by the Bundesgerichtshof (Federal Court of Justice), a dynamic IP address is not sufficient, in itself, to identify the user who has accessed a web page through it. If the provider of a service on the Internet could, on the contrary, identify the user through the dynamic IP address, it would, no doubt, be personal data within the meaning of Directive 95/46.
- The heart of the question referred is therefore concerned with whether it is relevant, in order to classify dynamic IP addresses as personal data, that a very specific third party — the Internet access service provider — has additional data which, combined with those addresses, may identify a user who has visited a particular web page.
- Therefore, as a first conclusion, I consider that Article 2(a) of Directive 95/46 must be interpreted as meaning that an IP address stored by a service provider in connection with access to its web page constitutes personal data for that service provider, insofar as an Internet service provider has available additional data which make it possible to identify the data subject.
Therefore, the question which is raised due to this ruling is: Will this defintion stand once the GDPR comes into force in 2018?
However, it is highly probable that from now on it will be more difficult for organizations to pseudonymize or anonymize personal data.
18. October 2016
As the Washington Post reported, the Justice Department asked the appeals court for the Southern District of New York to look at the decision concerning Microsoft’s refusal to comply with a search warrant for an alleged drug trafficker’s emails stored on a server in Ireland.
The case which this ruling was based on dealt with Microsoft receiving a warrant in December 2013. However, although it originally has been a case of compliance with a federal law enforcement request, now turned out to be a discussion over government access to digital data held overseas. This is due to increasing challenges to governments if they try to intercept data across borders.
Therefore, Microsoft and a number of tech firms and privacy groups reason that in case the government’s view will be applied, the outcome will be that U.S.-american businesses might lose billions of dollars in revenue.
14. October 2016
The European Passenger Name Records Directive (EU PNR) was passed earlier this year.
Although the European Commission spent tens of millions Euros on 15 national PNR schemes, not a single member state has implemented the respective Directive. There were national PNR schemes in order to help lay the groundwork for an EU-wide level proposal.
A commission spokesman commented that member states have until May 2018 to integrate the directive into their national laws.
However, Dimitris Avramopoulos, the European Commissioner for migration said that “The commission will be putting pressure on member states to implement it as soon as possible: we cannot wait for two years”.
12. October 2016
Dell just published the results of a global survey about the GDPR perceptions and readiness. Among other findings, the main result is the lack of awareness of the requirements, the preparation and the impact:
- More than 60 % answered that they are aware that something is going on with the GDPR. However, they said that they do not know what exactly is happening.
- Just 4 % outside of Europe commented that they are very knowledgeable about the details of the GDPR. Nevertheless, only 6 % of those in Europe answered that they are very familiar with the requirements.
- On top of this, less than 1 of 3 companies feel that they are prepared for the GDPR.
- Furthermore, about 70 % said that their company is definitely not, or do not know if their company is, prepared for the GDPR today. However, only 3 % of them have a plan in order to get ready.
- Fewer than 50 % commented that they feel confident to be ready in time when the GDPR comes into effect in 2018. Nevertheless, just 9 % expect to be fully prepared.
11. October 2016
The New York Post published that Verizon, which is about to purchase Yahoo for $4.8 billion, is now asking Yahoo for a $1 billion discount.
This is due to the fact that Yahoo announced only two weeks ago that it had been hacked two years ago and that at this time usernames and passwords for 500 million accounts were stolen. Furthermore, it was revealed that Yahoo had been ordered by a secret Foreign Intelligence Surveillance Court to investigate emails for terrorist signatures under the Foreign Intelligence Surveillance Act, but not under section 702.
According to the New York Post, a source said that AOL CEO, Tim Armstrong, “is getting cold feet” due to the “lack of disclosure” and therefore he is asking “Can we get out of this or can we reduce the price?”
10. October 2016
After Hamburg’s Data Protection Commissioner strongly recommended that Facebook should stop processing German data gained from WhatsApp, after the U.K. Information Commissioner, the ICO, also started to investigate the agreement betweent WhatsApp and Facebook and after Italy’s data protection authority, the Garante, has started to look into this issue, now Spain’s data protection authority, the AEPD, raises concerns.
Therefore, Spain’s data protection authority advises users to read the terms and conditions especially before accepting them. Furthermore, it offers guidance on changing the respective settings.
7. October 2016
A new biometric corporate credit card programm, called Identity Check Mobile, has been released by BMO Financial Group (BMO) and MasterCard in Canada and in the U.S. at the beginning of the year.
This programm enables cardholders to verify their transactions by using facial recognition and fingerprint biometrics in case they purchase online.
Introducing this verification process will increase security when purchasing without a face-to-face interaction so that the possibility of a card being used by anyone who is not the cardholder will be reduced.
Steve Pedersen, Vice President, Head, North American Corporate Card Products, BMO Financial Group commented on the programm by saying “The use of biometric technology has become more common for consumers looking for convenient and secure ways to make purchases using their smartphones, so this was the natural next step for us as innovators in the payment security space” he continued “Mitigating the risk of fraud is always our top priority, and the inclusion of this technology is going to make payment authentication easier, and strengthen the security of the entire payments ecosystem.”
MasterCard just published that starting from the 4th Octobre 2016 this form of payment is also available in Germany.