Article 29 WP releases opinion on data processing at work

11. July 2017

The Article 29 Working Party (WP) has released their opinion on data processing at work on the 8th of June 2017. The Opinion is meant as an amendment to the previous released documents on the surveillance of electronic communications (WP 55) and processing personal data in employment context (WP 48). This update should face the fast-changing technologies, the new forms of processing and the fading boundaries between home and work. It not only covers the Data Protection Directive but also the new rules in the General Data Protection Regulation that goes into effect on 25th of May 2018.

Therefore they listed nine different scenarios in the employment context where data processing can lead to a lack in data protection. These scenarios are data processing in the recruitment process and in-employment screening (especially by using social media platforms), using monitoring tools for information and communication technologies (ICT), usage at home/remote, using monitoring for time and attendance, use of video monitoring, use of vehicles by employees, the disclosure of data to third parties and the international transfer of employee data.

The Article 29 WP also pointed out the main risk for the fundamental rights of the employees. New technologies allow the employer tracking over a long time and nearly everywhere in a less visible way. This can result into chilling effects on the rights of employees because they think of a constant supervision.

As a highlight the Article 29 WP gives the following recommendations for dealing with data processing in the employment context:

  • only collect the data legitimate for the purpose and only with processing taking place under appropriate conditions,
  • consent is highly unlike to be a legal base for data processing, because of the imbalance in power between the employer and the employee,
  • track the location of employees only where it is strictly necessary,
  • communicate every monitoring to your employees effectively,
  • do a proportionality check prior the deployment of any monitoring tool,
  • be more concerned with prevention than with detection,
  • keep in mind data minimization; only process the data you really need to,
  • create privacy spaces for users,
  • on cloud uses: Ensure an adequate level of protection on every international transfer of employee data.

Many companies have not started preparing for the GDPR

27. June 2017

The General Data Protection Regulation (GDPR) will be applicable to all EU Member States from May 25th 2018. The GDPR will not just apply to EU companies, but also to non-EU companies that have dealings with data subjects that are located in the EU (see also Art. 3 (2) GDPR).

Companies, in specific, that fall under the regulations of the GDPR should be prepared to fulfil the requirements that are stated by the GDPR, due to the risk of an imposition of a fine if they fail to comply with the GDPR. This is in particular relevant since the fines for infringements of the GDPR have increased significantly (see also Art. 83 GDPR).

The implementations that companies have to make to comply with the GDPR involve high expenses and probably will be more time consuming than expected in most cases, depending on the size and complexity of the company. Especially the time factor has to be considered since it is less than a year left until May 2018.

However, according to a report of TrustArc, 61 % of the asked companies have not yet started with the implementation of their GDPR compliance programs.

TrustArc interviewed 204 privacy professionals from companies of different industries that will fall under the GDPR. These companies were divided into three categories based on the count of their employees: 500-1000 employees, 1000-5000 employees and more than 5000 employees.

23 % stated that they have started with the necessary implementations, 11 % that the implementations are driven forward and just 4 % stated that they had finished all necessary implementations to reach GDPR compliance.

The Report also shows the cost that companies expect to be need to implement what will be necessary to comply with the GDPR. Overall, 83% expect that their expenses will be in the six figures.

European Commission: €110 million fine for Facebook

23. May 2017

According to an European Commission Press release from the 18 May 2017, Facebook was fined €110 million by the Commission for providing misleading information about the takeover of WhatsApp.

Facebook acquired WhatsApp in 2014. Back then Facebook informed the European Commission that it would not be able to establish reliable automated matching between the users of Facebook and WhatsApp. Two years later, in August 2016, Facebook announced an update to its terms of service and privacy policy. The update included the possibility to link phone numbers of WhatsApp users with their respective Facebook accounts.

According to the Press release and contrary to the statement given by Facebook during the merger process 2014, the Commission has found that the possibility of automated linking of Facebook and WhatsApp users already existed in 2014.

Commissioner Margrethe Vestager, who is in charge of the competition policy, said: “Today’s decision sends a clear signal to companies that they must comply with all aspects of EU merger rules, including the obligation to provide correct information.”

It is the first time that the European Commission has imposed a fine on a company for the provision of misleading information since the Merger Regulation came into force in 2004.

Dynamic IP-addresses are personal data

19. May 2017

The German Federal Court (Bundesgerichtshof, BGH) decided, that dynamic IP-addresses are personal data. Also the BGH decides, that website operators are allowed to store the IP-address.

The judgement precedes on a decision of the European Court of Justice (EuGH) from the last year.

The EuGH decides, that a dynamic IP-address is a personal data, when the person concerned can be identified by means of the IP-address.

A German politician worried about the storing of his IP-address, because different federal institutes and authorities stored unasked his IP-address after he visited their websites. He fears, that the institutes and authorities are able to understand what he read and clicked on in the past times. Therefore his fundamental right on informational self-determination is infringed. He wants the court to decide, that his IP-address can be stored during his visit but not above.

The BGH now established, that the dynamic IP-address is personal data and the fundamental rights of the users should not be infringed, but websites are allowed to invest protocols of the surfers who visited their website, after the visitation, but only on the premise of emergency response. Especially in cases of hacker attacks. A criminal prosecution must be possible. The legal foundation is § 15 Telemediengesetz (TMG). § 15 I TMG must be interpreted compliant to the European law. Collection and processing of personal data must be required for the functionality of the service.

It is good to know that the website operator has no possibility of identifying the user by means of his IP-address, only the internet provider is able to identify the user by means of the IP-address, because the provider allocates the IP-address to the user.

Annual Transparency Report released by the US Intelligence

10. May 2017

In April 2017, the Office of the Director of National Intelligence released its fourth annual Statistical Transparency Report Regarding Use of National Security Authorities for calendar year 2016.

The annual Transparency Report provides information (in form of statistics) about how often the US government uses certain national security authorities for surveillance activities. Further, it explains under which legal basis a surveillance has to be performed and names national security authorities (besides the FISA authorities) that are involved, such as the CIA, FBI or the NSA.

It is shown that based on the applied surveillance activity and the purpose of the investigation, U.S.-persons as well as non-U.S.-persons can be targets. Furthermore, it is described which legal prerequisites have to be fulfilled when investigating a target.

For example, the Transparency Report provides information about the number of issued National Security Letters (NSLs) by the Federal Bureau of Investigation (FBI). The number of NSLs slightly decreased compared to last year. However the number of issued NSLs does not contain the number of individuals or organisations that are the subjects of the NSLs.

During an investigation, personal data may be collected for example telephone numbers or email addresses.

 

New German Data Protection Act

4. May 2017

The new German Federal Data Protection Act (Bundesdatenschutzgesetz – the ‘’new BDSG”), which will replace the Federal Data Protection Act of 2003, was adopted by the German Federal Parliament on April 27th 2017. The new Act´s aim is to adapt the current German data protection law to the GDPR (General Data Protection Regulation).

In a couple of weeks (probably on the May 12, 2017), the approval of the new BDSG by the German Federal Council is expected on plenary meeting. Once the new BDSG is adopted, it will become effective the same day as the GDPR.

In some respects, there are new BDSG requirements that are different from the GDPR. Among those, there are for instance such issues as: Data Protection Officer appointment, employee personal data processing, specific data processing requirements with respect to the video surveillance, scoring and creditworthiness and consumer credit.

For violations regarding exclusively the German law, the new BDSG imposes fines in amount up to 50, 000 EUR.

Category: GDPR · German Law

CIPL´s certifications

20. April 2017

On 12 April 2017, a discussion paper on Seals, Marks and Certifications under the GDPR and Their Roles as Accountability Tools and Cross-Border Data Transfer Mechanisms has been released by the Centre for Information Policy Leadership (“CIPL”).

It is regarded as a formal input into that process and contains recommendations on GDPR`s provisions on use of certification mechanisms and their development implementation.

Certifications may be profitable for multinational companies as they may facilitate business arrangements with service providers and business partners. Their comprehensive GDPR compliance structure should also be useful for medium-sized and small enterprises. Their potential to create interoperability with other legal regimes can also be used efficiently.

Namely, the Discussion Paper contains the following:

  • Certification is foreseen to be available for service, system, product and particular process or an entire privacy program
  • Certification should be created for the purpose of data transfers (art. 42 (2)(f))
  • Specific GDPR certification sectors may be covered by a sector-specific codes of conduct
  • Certification proliferation should be avoided in order to make it most wanted
  • Certifications should be adaptable to different contexts, affordable and scalable to the different companies sizes
  • Organization`s BCR approvals should be leveraged in order to achieve the certification
  • There should be created a common baseline certification, which may be directly used
  • Baseline certification should differentiate in its application depending on the certification bodes and processes
  • GDPR certification should be consistent with other certification schemes (the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, Japan Privacy Mark, ISO/IEC Standards, and the APEC CBPR)
  • DPAs should affirm certifications as recognized means of GDPRs compliance

Facebook & Instagram improve privacy for user data

10. April 2017

The social networks Facebook and Instagram improve the privacy of their customer data. In the past, a research held by the Civil Liberties Association (ACLU) had revealed data usage by third parties in he Internet analysis company “Geofeedia”, in which the company publicly viewed customer data from Facebook, Instagram and Twitter regarding participation in protest actions, which were evaluated and sold to government agencies. Facebook and Instagram responded by improving the conditions with regard to data usage so that they should be more stringent now. Accordingly, software developers are now expressly forbidden to use data from the networks for monitoring purposes. By the end of 2016 Twitter had already issued appropriate regulations.

Category: General · Personal Data
Tags: ,

Data Protection in the UK after the “Brexit”

4. April 2017

After the Brexit, keeping data by the UK companies and organizations is expected to become more certain locally than globally.

Elizabeth Denham, the UK’s Information Commissioner, recently commented before the House of Lords EU Home Affairs Sub-Committee, that the UK should apply to the European Commission for a full “adequacy” decision in terms of proving the adequate data protection measures as UK will become soon a non-EU country.

British government comments on the free trade deal with these words: “no deal for the UK is better than a bad deal for the UK”.

In the context of Brexit, it is crucial for the industry of the UK to keep the data-flows unhindered though.

British politician David Davis indicates that the UK and EU are now on their way to find and maintain equivalence (and not identity) in their relations (especially when it comes to business) in order to keep up their common interest.

Even though Davis is not using the “adequacy” term in his speech, this is what the UK technology industry is asking for.

Government assures that if no accord in that matter will be reached, there are still many alternatives to adequacy.

Category: UK
Tags: ,

New genetic testing law launch – USA

30. March 2017

The “Süddeutsche Zeitung” has reported that in the US, under the exclusion of the public, a new law on genetic testing was launched. According to this law, workers must submit genetic tests to their employers.
The genetic tests are not based on a voluntary basis, since the company will be allowed to demand genetic tests in the future. Therefore, employees must carry out a genetic test and disclose its results. This can be perceived as a strong intrusion into privacy, since genetic tests should be voluntary and, above all, there shall be no force to publish the results. Likewise according to the European Society of Human Genetics (ESHG).

The law seems to appall not only American geneticists. European scientists also expressed their fears that innovations in the field of bioethics would eventually spread from the USA on Europe, which can lead to the risk of an outreaching intervention into the private sphere of one being. Whether such an action in the European area is actually planned remains not known, however if such a law has to be passed, first the legal review by the supreme courts has to resist. Therefore, it looks like so far there should be nothing to fear about.
Regarding this topic, to prohibit such a genetic testing in the USA, there has already been a law, which was passed in 2008.

However, the interest of companies in such an investigation is undoubted. From then on, companies could get genetic information and therefore decide on the issues regarding their employees. It is clear that a risk-prone employee may be more costly to the company in case of illness. Employers could surely draw logical conclusions out of the results of the tests. These could, for instance, result in a non-renewal or non-adjustment of the employment contract.

One may say that the risk of a disease is not yet a certainty of a real outbreak of the disease. However the concern about the interference in the privacy should still be undoubtedly high.

Category: USA
Tags:
Pages: 1 2 3 4 5 6 7 8 9 10 ... 17 18 19 Next
1 2 3 19